Re: [Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store
On 11/18/2013 01:54 PM, Tomas Babej wrote: On 11/15/2013 03:36 PM, Rob Crittenden wrote: Tomas Babej wrote: On 11/15/2013 02:46 PM, Ana Krivokapic wrote: On 11/13/2013 02:57 PM, Tomas Babej wrote: On 09/27/2013 10:14 AM, Martin Kosek wrote: On 09/26/2013 04:46 PM, Jan Cholasta wrote: On 26.9.2013 12:59, Tomas Babej wrote: On 09/26/2013 12:54 PM, Jan Cholasta wrote: On 24.9.2013 18:14, Nalin Dahyabhai wrote: On Tue, Sep 24, 2013 at 01:30:10PM +0200, Jan Cholasta wrote: We discussed this with Tomáš off-line and it turns out that ipa-client-install fails if the CA cert is not added to /etc/pki/nssdb. However, according to p11-kit docs it should work: http://p11-glue.freedesktop.org/doc/p11-kit/trust-nss.html. I wonder what needs to be done to make it work in IPA... On my system, there's no symlink to libnssckbi.so (or the right location in the link farm under /etc/alternatives) in /etc/pki/nssdb, so that database isn't going to automatically pull in the list of trusted CAs that p11-kit maintains. Whether the database under /etc/pki/nssdb should automatically include the usual set of trust anchors is probably a different conversation. Thanks for the info. Tomáš, the patch is fine then. I have one more nitpick though: why did you change the default NSS database to the NSS database? The database in /etc/pki/nssdb *is* the default NSS database, so please change it back. Also I think systemwide CA trust database is better than systemwide CA store. Honza I fixed the descriptions. Updated patch attached. Tomas Thanks. There's one more thing: we should probably check if /usr/bin/update-ca-trust exists before using it, for the sake of cross-distro compatibility. Right. I am also thinking if this functionality should not be somehow integrated into the platform files so that it can be overriden in platforms that do not have the systemwide storage. Martin Updated patch attached, requires my patch 130. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The patch works fine; a couple of nitpicks: 1) The import of root_logger in services.py.in is unused. 2) In ipa-client-install, you log the return values of functions insert_ca_cert_into_systemwide_ca_store() and remove_ca_cert_from_systemwide_ca_store(). But these functions do not return any values, so you will always be logging `None`. Thanks for the review, I removed the code (it was meant for debugging purposes only). Updated patch attached. Adding the CA to the NSS cert database is considered a fatal error. Should adding it to the global trust database be fatal as well? I don't know the answer, but if we want to do this at some point should these functions return True/False to denote success/failure? rob I don't think it should be considered fatal, at least not now. I updated the patch to return the success/failure status, even though, this could be done when it will be required. But doesn't hurt anything either, at least other platform files will develop systemwide CA store functions with this approach in mind. Updated patch attached. Looks good, ACK. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store
On 11/20/2013 12:59 PM, Ana Krivokapic wrote: On 11/18/2013 01:54 PM, Tomas Babej wrote: [...] Updated patch attached. Looks good, ACK. Pushed to master: 4a0e91449e2b65304ae8d660d1a480200b1a13d3 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store
On 11/15/2013 03:36 PM, Rob Crittenden wrote: Tomas Babej wrote: On 11/15/2013 02:46 PM, Ana Krivokapic wrote: On 11/13/2013 02:57 PM, Tomas Babej wrote: On 09/27/2013 10:14 AM, Martin Kosek wrote: On 09/26/2013 04:46 PM, Jan Cholasta wrote: On 26.9.2013 12:59, Tomas Babej wrote: On 09/26/2013 12:54 PM, Jan Cholasta wrote: On 24.9.2013 18:14, Nalin Dahyabhai wrote: On Tue, Sep 24, 2013 at 01:30:10PM +0200, Jan Cholasta wrote: We discussed this with Tomáš off-line and it turns out that ipa-client-install fails if the CA cert is not added to /etc/pki/nssdb. However, according to p11-kit docs it should work: http://p11-glue.freedesktop.org/doc/p11-kit/trust-nss.html. I wonder what needs to be done to make it work in IPA... On my system, there's no symlink to libnssckbi.so (or the right location in the link farm under /etc/alternatives) in /etc/pki/nssdb, so that database isn't going to automatically pull in the list of trusted CAs that p11-kit maintains. Whether the database under /etc/pki/nssdb should automatically include the usual set of trust anchors is probably a different conversation. Thanks for the info. Tomáš, the patch is fine then. I have one more nitpick though: why did you change the default NSS database to the NSS database? The database in /etc/pki/nssdb *is* the default NSS database, so please change it back. Also I think systemwide CA trust database is better than systemwide CA store. Honza I fixed the descriptions. Updated patch attached. Tomas Thanks. There's one more thing: we should probably check if /usr/bin/update-ca-trust exists before using it, for the sake of cross-distro compatibility. Right. I am also thinking if this functionality should not be somehow integrated into the platform files so that it can be overriden in platforms that do not have the systemwide storage. Martin Updated patch attached, requires my patch 130. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The patch works fine; a couple of nitpicks: 1) The import of root_logger in services.py.in is unused. 2) In ipa-client-install, you log the return values of functions insert_ca_cert_into_systemwide_ca_store() and remove_ca_cert_from_systemwide_ca_store(). But these functions do not return any values, so you will always be logging `None`. Thanks for the review, I removed the code (it was meant for debugging purposes only). Updated patch attached. Adding the CA to the NSS cert database is considered a fatal error. Should adding it to the global trust database be fatal as well? I don't know the answer, but if we want to do this at some point should these functions return True/False to denote success/failure? rob I don't think it should be considered fatal, at least not now. I updated the patch to return the success/failure status, even though, this could be done when it will be required. But doesn't hurt anything either, at least other platform files will develop systemwide CA store functions with this approach in mind. Updated patch attached. -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org From cf08fabea67b4594a2a97154ef6568a6db4e1f0a Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Tue, 24 Sep 2013 10:54:57 +0200 Subject: [PATCH] ipa-client-install: Publish CA certificate to systemwide store During the installation, copy the CA certificate to the systemwide store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the systemwide CA database. This allows browsers to access IPA WebUI without warning out of the box. https://fedorahosted.org/freeipa/ticket/3504 --- ipa-client/ipa-install/ipa-client-install | 13 +- ipapython/platform/fedora19/__init__.py | 67 ++- ipapython/services.py.in | 11 - 3 files changed, 88 insertions(+), 3 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 7095e922663af73edae5a537a923888794b74879..e79cb48b04e7bdf23f6fd757e022e57dbb544640 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -673,6 +673,9 @@ def uninstall(options, env): root_logger.warning('Please remove /etc/ipa/default.conf manually, ' 'as it can cause subsequent installation to fail.') +# Remove the CA cert from the systemwide certificate store +ipaservices.remove_ca_cert_from_systemwide_ca_store(CACERT) + # Remove the CA cert try: os.remove(CACERT) @@ -2403,12 +2406,20 @@ def install(options, env, fstore, statestore): return CLIENT_INSTALL_ERROR root_logger.info(Configured /etc/sssd/sssd.conf) +# Add the CA to the platform-dependant systemwide CA store +
Re: [Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store
On 11/13/2013 02:57 PM, Tomas Babej wrote: On 09/27/2013 10:14 AM, Martin Kosek wrote: On 09/26/2013 04:46 PM, Jan Cholasta wrote: On 26.9.2013 12:59, Tomas Babej wrote: On 09/26/2013 12:54 PM, Jan Cholasta wrote: On 24.9.2013 18:14, Nalin Dahyabhai wrote: On Tue, Sep 24, 2013 at 01:30:10PM +0200, Jan Cholasta wrote: We discussed this with Tomás( off-line and it turns out that ipa-client-install fails if the CA cert is not added to /etc/pki/nssdb. However, according to p11-kit docs it should work: http://p11-glue.freedesktop.org/doc/p11-kit/trust-nss.html. I wonder what needs to be done to make it work in IPA... On my system, there's no symlink to libnssckbi.so (or the right location in the link farm under /etc/alternatives) in /etc/pki/nssdb, so that database isn't going to automatically pull in the list of trusted CAs that p11-kit maintains. Whether the database under /etc/pki/nssdb should automatically include the usual set of trust anchors is probably a different conversation. Thanks for the info. Tomás(, the patch is fine then. I have one more nitpick though: why did you change the default NSS database to the NSS database? The database in /etc/pki/nssdb *is* the default NSS database, so please change it back. Also I think systemwide CA trust database is better than systemwide CA store. Honza I fixed the descriptions. Updated patch attached. Tomas Thanks. There's one more thing: we should probably check if /usr/bin/update-ca-trust exists before using it, for the sake of cross-distro compatibility. Right. I am also thinking if this functionality should not be somehow integrated into the platform files so that it can be overriden in platforms that do not have the systemwide storage. Martin Updated patch attached, requires my patch 130. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The patch works fine; a couple of nitpicks: 1) The import of root_logger in services.py.in is unused. 2) In ipa-client-install, you log the return values of functions insert_ca_cert_into_systemwide_ca_store() and remove_ca_cert_from_systemwide_ca_store(). But these functions do not return any values, so you will always be logging `None`. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store
On 11/15/2013 02:46 PM, Ana Krivokapic wrote: On 11/13/2013 02:57 PM, Tomas Babej wrote: On 09/27/2013 10:14 AM, Martin Kosek wrote: On 09/26/2013 04:46 PM, Jan Cholasta wrote: On 26.9.2013 12:59, Tomas Babej wrote: On 09/26/2013 12:54 PM, Jan Cholasta wrote: On 24.9.2013 18:14, Nalin Dahyabhai wrote: On Tue, Sep 24, 2013 at 01:30:10PM +0200, Jan Cholasta wrote: We discussed this with Tomás( off-line and it turns out that ipa-client-install fails if the CA cert is not added to /etc/pki/nssdb. However, according to p11-kit docs it should work: http://p11-glue.freedesktop.org/doc/p11-kit/trust-nss.html. I wonder what needs to be done to make it work in IPA... On my system, there's no symlink to libnssckbi.so (or the right location in the link farm under /etc/alternatives) in /etc/pki/nssdb, so that database isn't going to automatically pull in the list of trusted CAs that p11-kit maintains. Whether the database under /etc/pki/nssdb should automatically include the usual set of trust anchors is probably a different conversation. Thanks for the info. Tomás(, the patch is fine then. I have one more nitpick though: why did you change the default NSS database to the NSS database? The database in /etc/pki/nssdb *is* the default NSS database, so please change it back. Also I think systemwide CA trust database is better than systemwide CA store. Honza I fixed the descriptions. Updated patch attached. Tomas Thanks. There's one more thing: we should probably check if /usr/bin/update-ca-trust exists before using it, for the sake of cross-distro compatibility. Right. I am also thinking if this functionality should not be somehow integrated into the platform files so that it can be overriden in platforms that do not have the systemwide storage. Martin Updated patch attached, requires my patch 130. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The patch works fine; a couple of nitpicks: 1) The import of root_logger in services.py.in is unused. 2) In ipa-client-install, you log the return values of functions insert_ca_cert_into_systemwide_ca_store() and remove_ca_cert_from_systemwide_ca_store(). But these functions do not return any values, so you will always be logging `None`. Thanks for the review, I removed the code (it was meant for debugging purposes only). Updated patch attached. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org From 65fe7943ffda6c7c57b697d7e59cba8857f42e9c Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Tue, 24 Sep 2013 10:54:57 +0200 Subject: [PATCH] ipa-client-install: Publish CA certificate to systemwide store During the installation, copy the CA certificate to the systemwide store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the systemwide CA database. This allows browsers to access IPA WebUI without warning out of the box. https://fedorahosted.org/freeipa/ticket/3504 --- ipa-client/ipa-install/ipa-client-install | 13 ++- ipapython/platform/fedora19/__init__.py | 58 ++- ipapython/services.py.in | 11 +- 3 files changed, 79 insertions(+), 3 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 7095e922663af73edae5a537a923888794b74879..e79cb48b04e7bdf23f6fd757e022e57dbb544640 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -673,6 +673,9 @@ def uninstall(options, env): root_logger.warning('Please remove /etc/ipa/default.conf manually, ' 'as it can cause subsequent installation to fail.') +# Remove the CA cert from the systemwide certificate store +ipaservices.remove_ca_cert_from_systemwide_ca_store(CACERT) + # Remove the CA cert try: os.remove(CACERT) @@ -2403,12 +2406,20 @@ def install(options, env, fstore, statestore): return CLIENT_INSTALL_ERROR root_logger.info(Configured /etc/sssd/sssd.conf) +# Add the CA to the platform-dependant systemwide CA store +ipaservices.insert_ca_cert_into_systemwide_ca_store(CACERT) + # Add the CA to the default NSS database and trust it try: -run([/usr/bin/certutil, -A, -d, /etc/pki/nssdb, -n, IPA CA, -t, CT,C,C, -a, -i, CACERT]) +root_logger.debug(Attempting to add CA directly to the + default NSS database.) +run([/usr/bin/certutil, -A, -d, /etc/pki/nssdb, + -n, IPA CA, -t, CT,C,C, -a, -i, CACERT]) except
Re: [Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store
Tomas Babej wrote: On 11/15/2013 02:46 PM, Ana Krivokapic wrote: On 11/13/2013 02:57 PM, Tomas Babej wrote: On 09/27/2013 10:14 AM, Martin Kosek wrote: On 09/26/2013 04:46 PM, Jan Cholasta wrote: On 26.9.2013 12:59, Tomas Babej wrote: On 09/26/2013 12:54 PM, Jan Cholasta wrote: On 24.9.2013 18:14, Nalin Dahyabhai wrote: On Tue, Sep 24, 2013 at 01:30:10PM +0200, Jan Cholasta wrote: We discussed this with Tomáš off-line and it turns out that ipa-client-install fails if the CA cert is not added to /etc/pki/nssdb. However, according to p11-kit docs it should work: http://p11-glue.freedesktop.org/doc/p11-kit/trust-nss.html. I wonder what needs to be done to make it work in IPA... On my system, there's no symlink to libnssckbi.so (or the right location in the link farm under /etc/alternatives) in /etc/pki/nssdb, so that database isn't going to automatically pull in the list of trusted CAs that p11-kit maintains. Whether the database under /etc/pki/nssdb should automatically include the usual set of trust anchors is probably a different conversation. Thanks for the info. Tomáš, the patch is fine then. I have one more nitpick though: why did you change the default NSS database to the NSS database? The database in /etc/pki/nssdb *is* the default NSS database, so please change it back. Also I think systemwide CA trust database is better than systemwide CA store. Honza I fixed the descriptions. Updated patch attached. Tomas Thanks. There's one more thing: we should probably check if /usr/bin/update-ca-trust exists before using it, for the sake of cross-distro compatibility. Right. I am also thinking if this functionality should not be somehow integrated into the platform files so that it can be overriden in platforms that do not have the systemwide storage. Martin Updated patch attached, requires my patch 130. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The patch works fine; a couple of nitpicks: 1) The import of root_logger in services.py.in is unused. 2) In ipa-client-install, you log the return values of functions insert_ca_cert_into_systemwide_ca_store() and remove_ca_cert_from_systemwide_ca_store(). But these functions do not return any values, so you will always be logging `None`. Thanks for the review, I removed the code (it was meant for debugging purposes only). Updated patch attached. Adding the CA to the NSS cert database is considered a fatal error. Should adding it to the global trust database be fatal as well? I don't know the answer, but if we want to do this at some point should these functions return True/False to denote success/failure? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store
On 09/27/2013 10:14 AM, Martin Kosek wrote: On 09/26/2013 04:46 PM, Jan Cholasta wrote: On 26.9.2013 12:59, Tomas Babej wrote: On 09/26/2013 12:54 PM, Jan Cholasta wrote: On 24.9.2013 18:14, Nalin Dahyabhai wrote: On Tue, Sep 24, 2013 at 01:30:10PM +0200, Jan Cholasta wrote: We discussed this with Tomáš off-line and it turns out that ipa-client-install fails if the CA cert is not added to /etc/pki/nssdb. However, according to p11-kit docs it should work: http://p11-glue.freedesktop.org/doc/p11-kit/trust-nss.html. I wonder what needs to be done to make it work in IPA... On my system, there's no symlink to libnssckbi.so (or the right location in the link farm under /etc/alternatives) in /etc/pki/nssdb, so that database isn't going to automatically pull in the list of trusted CAs that p11-kit maintains. Whether the database under /etc/pki/nssdb should automatically include the usual set of trust anchors is probably a different conversation. Thanks for the info. Tomáš, the patch is fine then. I have one more nitpick though: why did you change the default NSS database to the NSS database? The database in /etc/pki/nssdb *is* the default NSS database, so please change it back. Also I think systemwide CA trust database is better than systemwide CA store. Honza I fixed the descriptions. Updated patch attached. Tomas Thanks. There's one more thing: we should probably check if /usr/bin/update-ca-trust exists before using it, for the sake of cross-distro compatibility. Right. I am also thinking if this functionality should not be somehow integrated into the platform files so that it can be overriden in platforms that do not have the systemwide storage. Martin Updated patch attached, requires my patch 130. -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org From cd0fb864ba45c93c81f4cef68dc470c1fcf05219 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Tue, 24 Sep 2013 10:54:57 +0200 Subject: [PATCH] ipa-client-install: Publish CA certificate to systemwide store During the installation, copy the CA certificate to the systemwide store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the systemwide CA database. This allows browsers to access IPA WebUI without warning out of the box. https://fedorahosted.org/freeipa/ticket/3504 --- ipa-client/ipa-install/ipa-client-install | 14 +++- ipapython/platform/fedora19/__init__.py | 58 ++- ipapython/services.py.in | 13 ++- 3 files changed, 82 insertions(+), 3 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 1f66ae5d635d98ba45df13d92ca7982068d94752..9299db12015434379916ffa35d7ee7e830cf42ad 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -652,6 +652,9 @@ def uninstall(options, env): root_logger.warning('Please remove /etc/ipa/default.conf manually, ' 'as it can cause subsequent installation to fail.') +# Remove the CA cert from the systemwide certificate store +ret = ipaservices.remove_ca_cert_from_systemwide_ca_store(CACERT) + # Remove the CA cert try: os.remove(CACERT) @@ -2312,12 +2315,21 @@ def install(options, env, fstore, statestore): return CLIENT_INSTALL_ERROR root_logger.info(Configured /etc/sssd/sssd.conf) +# Add the CA to the platform-dependant systemwide CA store +ret = ipaservices.insert_ca_cert_into_systemwide_ca_store(CACERT) +root_logger.info('Returned value from systemwide: %s ' % ret) + # Add the CA to the default NSS database and trust it try: -run([/usr/bin/certutil, -A, -d, /etc/pki/nssdb, -n, IPA CA, -t, CT,C,C, -a, -i, CACERT]) +root_logger.debug(Attempting to add CA directly to the + default NSS database.) +run([/usr/bin/certutil, -A, -d, /etc/pki/nssdb, + -n, IPA CA, -t, CT,C,C, -a, -i, CACERT]) except CalledProcessError, e: root_logger.info(Failed to add CA to the default NSS database.) return CLIENT_INSTALL_ERROR +else: +root_logger.info('Added the CA to the default NSS database.') host_principal = 'host/%s@%s' % (hostname, cli_realm) if options.on_master: diff --git a/ipapython/platform/fedora19/__init__.py b/ipapython/platform/fedora19/__init__.py index 80356d65f4d07483000d57e16b193a857d0988ca..1bd2fcdc7af0e016ad58e2d935edd33cefc3a2f2 100644 --- a/ipapython/platform/fedora19/__init__.py +++ b/ipapython/platform/fedora19/__init__.py @@ -17,6 +17,14 @@ # along with this program. If not, see http://www.gnu.org/licenses/. # +import shutil +import os + +from subprocess import CalledProcessError + +from ipapython.ipa_log_manager import root_logger +from ipapython.ipautil import run + from ipapython.platform import
Re: [Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store
On 09/26/2013 04:46 PM, Jan Cholasta wrote: On 26.9.2013 12:59, Tomas Babej wrote: On 09/26/2013 12:54 PM, Jan Cholasta wrote: On 24.9.2013 18:14, Nalin Dahyabhai wrote: On Tue, Sep 24, 2013 at 01:30:10PM +0200, Jan Cholasta wrote: We discussed this with Tomáš off-line and it turns out that ipa-client-install fails if the CA cert is not added to /etc/pki/nssdb. However, according to p11-kit docs it should work: http://p11-glue.freedesktop.org/doc/p11-kit/trust-nss.html. I wonder what needs to be done to make it work in IPA... On my system, there's no symlink to libnssckbi.so (or the right location in the link farm under /etc/alternatives) in /etc/pki/nssdb, so that database isn't going to automatically pull in the list of trusted CAs that p11-kit maintains. Whether the database under /etc/pki/nssdb should automatically include the usual set of trust anchors is probably a different conversation. Thanks for the info. Tomáš, the patch is fine then. I have one more nitpick though: why did you change the default NSS database to the NSS database? The database in /etc/pki/nssdb *is* the default NSS database, so please change it back. Also I think systemwide CA trust database is better than systemwide CA store. Honza I fixed the descriptions. Updated patch attached. Tomas Thanks. There's one more thing: we should probably check if /usr/bin/update-ca-trust exists before using it, for the sake of cross-distro compatibility. Right. I am also thinking if this functionality should not be somehow integrated into the platform files so that it can be overriden in platforms that do not have the systemwide storage. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store
On 24.9.2013 18:14, Nalin Dahyabhai wrote: On Tue, Sep 24, 2013 at 01:30:10PM +0200, Jan Cholasta wrote: We discussed this with Tomáš off-line and it turns out that ipa-client-install fails if the CA cert is not added to /etc/pki/nssdb. However, according to p11-kit docs it should work: http://p11-glue.freedesktop.org/doc/p11-kit/trust-nss.html. I wonder what needs to be done to make it work in IPA... On my system, there's no symlink to libnssckbi.so (or the right location in the link farm under /etc/alternatives) in /etc/pki/nssdb, so that database isn't going to automatically pull in the list of trusted CAs that p11-kit maintains. Whether the database under /etc/pki/nssdb should automatically include the usual set of trust anchors is probably a different conversation. Thanks for the info. Tomáš, the patch is fine then. I have one more nitpick though: why did you change the default NSS database to the NSS database? The database in /etc/pki/nssdb *is* the default NSS database, so please change it back. Also I think systemwide CA trust database is better than systemwide CA store. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store
On 09/26/2013 12:54 PM, Jan Cholasta wrote: On 24.9.2013 18:14, Nalin Dahyabhai wrote: On Tue, Sep 24, 2013 at 01:30:10PM +0200, Jan Cholasta wrote: We discussed this with Tomáš off-line and it turns out that ipa-client-install fails if the CA cert is not added to /etc/pki/nssdb. However, according to p11-kit docs it should work: http://p11-glue.freedesktop.org/doc/p11-kit/trust-nss.html. I wonder what needs to be done to make it work in IPA... On my system, there's no symlink to libnssckbi.so (or the right location in the link farm under /etc/alternatives) in /etc/pki/nssdb, so that database isn't going to automatically pull in the list of trusted CAs that p11-kit maintains. Whether the database under /etc/pki/nssdb should automatically include the usual set of trust anchors is probably a different conversation. Thanks for the info. Tomáš, the patch is fine then. I have one more nitpick though: why did you change the default NSS database to the NSS database? The database in /etc/pki/nssdb *is* the default NSS database, so please change it back. Also I think systemwide CA trust database is better than systemwide CA store. Honza I fixed the descriptions. Updated patch attached. Tomas -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org From 4f8b708b588265bf2678895b433fa33fe52ad6a4 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Tue, 24 Sep 2013 10:54:57 +0200 Subject: [PATCH] ipa-client-install: Publish CA certificate to systemwide store During the installation, copy the CA certificate to the systemwide store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the systemwide CA database. This allows browsers to access IPA WebUI without warning out of the box. https://fedorahosted.org/freeipa/ticket/3504 --- ipa-client/ipa-install/ipa-client-install | 39 --- 1 file changed, 36 insertions(+), 3 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 7e474bd59a850e12f1f9f2f72a81cf9a979f779a..4eec8dc8387228bc45ef15f47de26c1d4324a353 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -24,12 +24,14 @@ try: import os import time +import shutil import socket import urlparse import tempfile import getpass from ConfigParser import RawConfigParser from optparse import SUPPRESS_HELP, OptionGroup, OptionValueError +from subprocess import CalledProcessError import nss.nss as nss import SSSDConfig @@ -69,6 +71,7 @@ SSH_PROXYCOMMAND = '/usr/bin/sss_ssh_knownhostsproxy' SSH_KNOWNHOSTSFILE = '/var/lib/sss/pubconf/known_hosts' client_nss_nickname_format = 'IPA Machine Certificate - %s' +systemwide_ca_cert = '/etc/pki/ca-trust/source/anchors/ipa-ca.crt' def parse_options(): def validate_ca_cert_file_option(option, opt, value, parser): @@ -371,6 +374,18 @@ def uninstall(options, env): root_logger.error( Failed to remove IPA CA from /etc/pki/nssdb: %s, str(e)) +# Remove CA cert from systemwide store +if os.path.exists(systemwide_ca_cert): +try: +os.remove(systemwide_ca_cert) +run(['/usr/bin/update-ca-trust']) +except OSError, e: +root_logger.error('Could not remove: %s, %s' + % (systemwide_ca_cert, str(e))) +except CalledProcessError, e: +root_logger.error('Could not update systemwide CA trust ' + 'database: %s' % str(e)) + # Always start certmonger. We can't untrack something if it isn't # running messagebus = ipaservices.knownservices.messagebus @@ -2303,12 +2318,30 @@ def install(options, env, fstore, statestore): return CLIENT_INSTALL_ERROR root_logger.info(Configured /etc/sssd/sssd.conf) -# Add the CA to the default NSS database and trust it +# Add the CA to the systemwide CA trust database try: -run([/usr/bin/certutil, -A, -d, /etc/pki/nssdb, -n, IPA CA, -t, CT,C,C, -a, -i, CACERT]) +shutil.copy(CACERT, systemwide_ca_cert) +run(['/usr/bin/update-ca-trust']) +except OSError, e: +root_logger.info(Failed to copy %s to %s % (CACERT, + systemwide_ca_cert)) except CalledProcessError, e: -root_logger.info(Failed to add CA to the default NSS database.) +root_logger.info(Failed to add CA to the systemwide + CA trust database.) +else: +root_logger.info('Added the CA to the systemwide CA trust database.') + +# Adding CA directly to the default NSS database +try: +root_logger.debug(Attempting to add CA directly to the + default NSS database.) +run([/usr/bin/certutil, -A, -d,
Re: [Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store
On 26.9.2013 12:59, Tomas Babej wrote: On 09/26/2013 12:54 PM, Jan Cholasta wrote: On 24.9.2013 18:14, Nalin Dahyabhai wrote: On Tue, Sep 24, 2013 at 01:30:10PM +0200, Jan Cholasta wrote: We discussed this with Tomáš off-line and it turns out that ipa-client-install fails if the CA cert is not added to /etc/pki/nssdb. However, according to p11-kit docs it should work: http://p11-glue.freedesktop.org/doc/p11-kit/trust-nss.html. I wonder what needs to be done to make it work in IPA... On my system, there's no symlink to libnssckbi.so (or the right location in the link farm under /etc/alternatives) in /etc/pki/nssdb, so that database isn't going to automatically pull in the list of trusted CAs that p11-kit maintains. Whether the database under /etc/pki/nssdb should automatically include the usual set of trust anchors is probably a different conversation. Thanks for the info. Tomáš, the patch is fine then. I have one more nitpick though: why did you change the default NSS database to the NSS database? The database in /etc/pki/nssdb *is* the default NSS database, so please change it back. Also I think systemwide CA trust database is better than systemwide CA store. Honza I fixed the descriptions. Updated patch attached. Tomas Thanks. There's one more thing: we should probably check if /usr/bin/update-ca-trust exists before using it, for the sake of cross-distro compatibility. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store
Hi, During the installation, copy the CA certificate to the systemwide store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the systemwide CA database. This allows browsers to access IPA WebUI without warning out of the box. https://fedorahosted.org/freeipa/ticket/3504 -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org From 9e61407d6db5b5c673a1d2924b8f4ba3936812a7 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Tue, 24 Sep 2013 10:54:57 +0200 Subject: [PATCH] ipa-client-install: Publish CA certificate to systemwide store During the installation, copy the CA certificate to the systemwide store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the systemwide CA database. This allows browsers to access IPA WebUI without warning out of the box. https://fedorahosted.org/freeipa/ticket/3504 --- ipa-client/ipa-install/ipa-client-install | 38 --- 1 file changed, 35 insertions(+), 3 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 7e474bd59a850e12f1f9f2f72a81cf9a979f779a..80824164f12c2c73aa960e9ed027079a7698600f 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -24,12 +24,14 @@ try: import os import time +import shutil import socket import urlparse import tempfile import getpass from ConfigParser import RawConfigParser from optparse import SUPPRESS_HELP, OptionGroup, OptionValueError +from subprocess import CalledProcessError import nss.nss as nss import SSSDConfig @@ -69,6 +71,7 @@ SSH_PROXYCOMMAND = '/usr/bin/sss_ssh_knownhostsproxy' SSH_KNOWNHOSTSFILE = '/var/lib/sss/pubconf/known_hosts' client_nss_nickname_format = 'IPA Machine Certificate - %s' +systemwide_ca_cert = '/etc/pki/ca-trust/source/anchors/ipa-ca.crt' def parse_options(): def validate_ca_cert_file_option(option, opt, value, parser): @@ -371,6 +374,18 @@ def uninstall(options, env): root_logger.error( Failed to remove IPA CA from /etc/pki/nssdb: %s, str(e)) +# Remove CA cert from systemwide store +if os.path.exists(systemwide_ca_cert): +try: +os.remove(systemwide_ca_cert) +run(['/usr/bin/update-ca-trust']) +except OSError, e: +root_logger.error('Could not remove: %s, %s' + % (systemwide_ca_cert, str(e))) +except CalledProcessError, e: +root_logger.error('Could not update systemwide CA trust ' + 'database: %s' % str(e)) + # Always start certmonger. We can't untrack something if it isn't # running messagebus = ipaservices.knownservices.messagebus @@ -2303,12 +2318,29 @@ def install(options, env, fstore, statestore): return CLIENT_INSTALL_ERROR root_logger.info(Configured /etc/sssd/sssd.conf) -# Add the CA to the default NSS database and trust it +# Add the CA to the systemwide CA store try: -run([/usr/bin/certutil, -A, -d, /etc/pki/nssdb, -n, IPA CA, -t, CT,C,C, -a, -i, CACERT]) +shutil.copy(CACERT, systemwide_ca_cert) +run(['/usr/bin/update-ca-trust']) +except OSError, e: +root_logger.info(Failed to copy %s to %s % (CACERT, + systemwide_ca_cert)) except CalledProcessError, e: -root_logger.info(Failed to add CA to the default NSS database.) +root_logger.info(Failed to add CA to the systemwide CA store.) +else: +root_logger.info('Added the CA to the systemwide CA store.') + +# Adding CA directly to the NSS database +try: +root_logger.debug(Attempting to add CA directly to the NSS + database.) +run([/usr/bin/certutil, -A, -d, /etc/pki/nssdb, + -n, IPA CA, -t, CT,C,C, -a, -i, CACERT]) +except CalledProcessError, e: +root_logger.info('Failed to add CA to the NSS database.') return CLIENT_INSTALL_ERROR +else: +root_logger.info('Added the CA to the NSS database.') host_principal = 'host/%s@%s' % (hostname, cli_realm) if options.on_master: -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store
Hi, On 24.9.2013 12:03, Tomas Babej wrote: Hi, During the installation, copy the CA certificate to the systemwide store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the systemwide CA database. This allows browsers to access IPA WebUI without warning out of the box. https://fedorahosted.org/freeipa/ticket/3504 I think you should update /etc/pki/nssdb manually only if update-ca-cert fails. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store
On Tue, Sep 24, 2013 at 01:30:10PM +0200, Jan Cholasta wrote: We discussed this with Tomáš off-line and it turns out that ipa-client-install fails if the CA cert is not added to /etc/pki/nssdb. However, according to p11-kit docs it should work: http://p11-glue.freedesktop.org/doc/p11-kit/trust-nss.html. I wonder what needs to be done to make it work in IPA... On my system, there's no symlink to libnssckbi.so (or the right location in the link farm under /etc/alternatives) in /etc/pki/nssdb, so that database isn't going to automatically pull in the list of trusted CAs that p11-kit maintains. Whether the database under /etc/pki/nssdb should automatically include the usual set of trust anchors is probably a different conversation. HTH, Nalin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel