URL: https://github.com/freeipa/freeipa/pull/650 Author: stlaz Title: #650: CA-less installation fix Action: opened
PR body: """ These patches fix the CA-less installation by guessing the names for CA and server-cert nicknames in /etc/httpd/alias. The fix is not very nice since it's guessing but I am not sure if there's anything else we can do at this point. Also, `HTTPInstance.start/stop_tracking_certificates` would probably not need the guessing since it's only relevant for CA-full installations where we know the server-cert nickname is `Server-Cert` so I can replace it there if you think that'd be better. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/650/head:pr650 git checkout pr650
From 7d267b165f60845751f8577fcf2cf3bd67537bd9 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Fri, 24 Mar 2017 09:52:18 +0100 Subject: [PATCH 1/2] Exclude ipaCert from server-cert nickname guess ipaCert exists no more so it should be safe not to include it in server-cert nickname guessing. https://pagure.io/freeipa/issue/6806 --- ipaserver/install/httpinstance.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index f6f0b0c..18088d9 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -386,8 +386,6 @@ def __setup_ssl(self): # We only handle one server cert nickname = server_certs[0][0] - if nickname == 'ipaCert': - nickname = server_certs[1][0] self.dercert = db.get_cert_from_db(nickname, pem=False) if self.ca_is_configured: From 78d72871a2035c29a9e0947bcbc81bc720f75824 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Fri, 24 Mar 2017 09:53:56 +0100 Subject: [PATCH 2/2] Perform guesses of HTTP server-cert nickname When doing CA-less installation, we don't know which nicknames we have for CA and server certificates in HTTPD NSS database. This fix is not very nice but it should do for the time-being. https://pagure.io/freeipa/issue/6806 --- ipaserver/install/httpinstance.py | 28 ++++++++++++++++++++-------- ipaserver/install/server/upgrade.py | 3 ++- 2 files changed, 22 insertions(+), 9 deletions(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 18088d9..91a4340 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -118,9 +118,9 @@ class WebGuiInstance(service.SimpleServiceInstance): def __init__(self): service.SimpleServiceInstance.__init__(self, "ipa_webgui") + class HTTPInstance(service.Service): - def __init__(self, fstore=None, cert_nickname='Server-Cert', - api=api): + def __init__(self, fstore=None, cert_nickname=None, api=api): super(HTTPInstance, self).__init__( "httpd", service_desc="the web interface", @@ -154,6 +154,9 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, CRL_PUBLISH_PATH=paths.PKI_CA_PUBLISH_DIR, ) self.ca_file = ca_file + # we only know the server-cert nickname if this is not CA-less + if self.pkcs12_info is None and self.cert_nickname is None: + self.cert_nickname = 'Server-Cert' if ca_is_configured is not None: self.ca_is_configured = ca_is_configured self.promote = promote @@ -382,16 +385,20 @@ def __setup_ssl(self): if len(server_certs) == 0: raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0]) + # this is CA-less and we don't know the server-cert nickname + if self.cert_nickname is None: + # We only handle one server cert + self.cert_nickname = server_certs[0][0] self.create_password_conf() - # We only handle one server cert - nickname = server_certs[0][0] - self.dercert = db.get_cert_from_db(nickname, pem=False) + self.dercert = db.get_cert_from_db(self.cert_nickname, pem=False) if self.ca_is_configured: - db.track_server_cert(nickname, self.principal, db.passwd_fname, 'restart_httpd') + db.track_server_cert( + self.cert_nickname, self.principal, db.passwd_fname, + 'restart_httpd') - self.__set_mod_nss_nickname(nickname) + self.__set_mod_nss_nickname(self.cert_nickname) self.add_cert_to_service() else: @@ -439,7 +446,8 @@ def __import_ca_certs(self): def __publish_ca_cert(self): ca_db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR, subject_base=self.subject_base) - ca_db.publish_ca_cert(paths.CA_CRT) + ca_nickname = ca_db.find_root_cert(self.cert_nickname)[-1] + ca_db.export_pem_cert(ca_nickname, paths.CA_CRT) def is_kdcproxy_configured(self): """Check if KDC proxy has already been configured in the past""" @@ -590,9 +598,13 @@ def uninstall(self): def stop_tracking_certificates(self): db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) + if self.cert_nickname is None: + self.cert_nickname = db.find_server_certs()[0][0] db.untrack_server_cert(self.cert_nickname) def start_tracking_certificates(self): db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR) + if self.cert_nickname is None: + self.cert_nickname = db.find_server_certs()[0][0] db.track_server_cert(self.cert_nickname, self.principal, db.passwd_fname, 'restart_httpd') diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 1706079..fb796ab 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1639,7 +1639,8 @@ def upgrade_configuration(): removed_sysconfig_file) fstore.restore_file(removed_sysconfig_file) - http = httpinstance.HTTPInstance(fstore) + httpd_cert_nick = 'Server-Cert' if ca.is_configured() else None + http = httpinstance.HTTPInstance(fstore, cert_nickname=httpd_cert_nick) http.fqdn = fqdn http.realm = api.env.realm http.configure_selinux_for_httpd()
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code