[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 From cbe2a8491beea81a80a2cb261496d1c41c9b2195 Mon Sep 17 00:00:00 2001 From: Pavel VomackaDate: Thu, 6 Apr 2017 16:15:47 +0200 Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. Marks the server cert in httpd NSS DB as trusted peer ('P,,') to avoid chicken and egg problem when it is needed to contact the OCSP responder when httpd is starting. https://pagure.io/freeipa/issue/6370 --- freeipa.spec.in | 4 install/restart_scripts/restart_httpd | 14 +- ipaserver/install/httpinstance.py | 30 ++ ipaserver/install/server/upgrade.py | 25 + ipaserver/setup.py| 1 + 5 files changed, 73 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index ee9a36b..83788bf 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -199,6 +199,7 @@ BuildRequires: python-nose BuildRequires: python-paste BuildRequires: systemd-python BuildRequires: python2-jinja2 +BuildRequires: python-augeas %if 0%{?with_python3} # FIXME: this depedency is missing - server will not work @@ -236,6 +237,7 @@ BuildRequires: python3-nose BuildRequires: python3-paste BuildRequires: python3-systemd BuildRequires: python3-jinja2 +BuildRequires: python3-augeas %endif # with_python3 %endif # with_lint @@ -359,6 +361,7 @@ Requires: python-dns >= 1.15 Requires: python-kdcproxy >= 0.3 Requires: rpm-libs Requires: pki-base-python2 +Requires: python-augeas %description -n python2-ipaserver IPA is an integrated solution to provide centrally managed Identity (users, @@ -388,6 +391,7 @@ Requires: python3-pyasn1 Requires: python3-dbus Requires: python3-dns >= 1.15 Requires: python3-kdcproxy >= 0.3 +Requires: python3-augeas Requires: rpm-libs Requires: pki-base-python3 diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index d168481..b661b82 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,11 +21,23 @@ import syslog import traceback +from ipalib import api from ipaplatform import services -from ipaserver.install import certs +from ipaplatform.paths import paths +from ipaserver.install import certs, installutils def _main(): + +api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) +api.finalize() + +db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) +nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") + +# Add trust flag which set certificate trusted for SSL connections. +db.trust_root_cert(nickname, "P,,") + syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 7898c53..ab688a8 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -29,6 +29,7 @@ import locale import six +from augeas import Augeas from ipalib.install import certmonger from ipaserver.install import service @@ -153,6 +154,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) +self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -259,6 +261,31 @@ def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) +def enable_mod_nss_ocsp(self): +aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD) + +aug.set('/augeas/load/Httpd/lens', 'Httpd.lns') +aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF) +aug.load() + +path = '/files{}/VirtualHost'.format(paths.HTTPD_NSS_CONF) + +ocsp_comment = aug.get( +'{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path)) +ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path)) + +if ocsp_dir is None and ocsp_comment is not None: +# Directive is missing, comment
[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 From 9e8e55bb205211637539bf149eb1fa0ed13ff872 Mon Sep 17 00:00:00 2001 From: Pavel VomackaDate: Thu, 6 Apr 2017 16:15:47 +0200 Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. Marks the server cert in httpd NSS DB as trusted peer ('P,,') to avoid chicken and egg problem when it is needed to contact the OCSP responder when httpd is starting. https://pagure.io/freeipa/issue/6370 --- freeipa.spec.in | 2 ++ install/restart_scripts/restart_httpd | 14 +- ipaserver/install/httpinstance.py | 30 ++ ipaserver/install/server/upgrade.py | 25 + 4 files changed, 70 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index ee9a36b..0b5500e 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -359,6 +359,7 @@ Requires: python-dns >= 1.15 Requires: python-kdcproxy >= 0.3 Requires: rpm-libs Requires: pki-base-python2 +Requires: python-augeas %description -n python2-ipaserver IPA is an integrated solution to provide centrally managed Identity (users, @@ -388,6 +389,7 @@ Requires: python3-pyasn1 Requires: python3-dbus Requires: python3-dns >= 1.15 Requires: python3-kdcproxy >= 0.3 +Requires: python3-augeas Requires: rpm-libs Requires: pki-base-python3 diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index d168481..b661b82 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,11 +21,23 @@ import syslog import traceback +from ipalib import api from ipaplatform import services -from ipaserver.install import certs +from ipaplatform.paths import paths +from ipaserver.install import certs, installutils def _main(): + +api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) +api.finalize() + +db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) +nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") + +# Add trust flag which set certificate trusted for SSL connections. +db.trust_root_cert(nickname, "P,,") + syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 7898c53..ab688a8 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -29,6 +29,7 @@ import locale import six +from augeas import Augeas from ipalib.install import certmonger from ipaserver.install import service @@ -153,6 +154,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) +self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -259,6 +261,31 @@ def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) +def enable_mod_nss_ocsp(self): +aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD) + +aug.set('/augeas/load/Httpd/lens', 'Httpd.lns') +aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF) +aug.load() + +path = '/files{}/VirtualHost'.format(paths.HTTPD_NSS_CONF) + +ocsp_comment = aug.get( +'{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path)) +ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path)) + +if ocsp_dir is None and ocsp_comment is not None: +# Directive is missing, comment is present +aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path), +'NSSOCSP') +aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive') +elif ocsp_dir is None: +# Directive is missing and comment is missing +aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP") + +aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on') +aug.save() + def set_mod_nss_cipher_suite(self): ciphers =
[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 From 91565422833deab89b378bb40df2bf19e9cb2209 Mon Sep 17 00:00:00 2001 From: Pavel VomackaDate: Thu, 6 Apr 2017 16:15:47 +0200 Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. Marks the server cert in httpd NSS DB as trusted peer ('P,,') to avoid chicken and egg problem when it is needed to contact the OCSP responder when httpd is starting. https://pagure.io/freeipa/issue/6370 --- freeipa.spec.in | 1 + install/restart_scripts/restart_httpd | 14 +- ipaserver/install/httpinstance.py | 30 ++ ipaserver/install/server/upgrade.py | 25 + 4 files changed, 69 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index ee9a36b..24fc838 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -314,6 +314,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 +Requires: python-augeas Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index d168481..b661b82 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,11 +21,23 @@ import syslog import traceback +from ipalib import api from ipaplatform import services -from ipaserver.install import certs +from ipaplatform.paths import paths +from ipaserver.install import certs, installutils def _main(): + +api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) +api.finalize() + +db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) +nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") + +# Add trust flag which set certificate trusted for SSL connections. +db.trust_root_cert(nickname, "P,,") + syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 7898c53..ab688a8 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -29,6 +29,7 @@ import locale import six +from augeas import Augeas from ipalib.install import certmonger from ipaserver.install import service @@ -153,6 +154,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) +self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -259,6 +261,31 @@ def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) +def enable_mod_nss_ocsp(self): +aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD) + +aug.set('/augeas/load/Httpd/lens', 'Httpd.lns') +aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF) +aug.load() + +path = '/files{}/VirtualHost'.format(paths.HTTPD_NSS_CONF) + +ocsp_comment = aug.get( +'{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path)) +ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path)) + +if ocsp_dir is None and ocsp_comment is not None: +# Directive is missing, comment is present +aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path), +'NSSOCSP') +aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive') +elif ocsp_dir is None: +# Directive is missing and comment is missing +aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP") + +aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on') +aug.save() + def set_mod_nss_cipher_suite(self): ciphers = ','.join(NSS_CIPHER_SUITE) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False) @@ -351,6 +378,7 @@ def __setup_ssl(self): create=True)
[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 From 740da4c68e307187de86beb2113df87157a9e950 Mon Sep 17 00:00:00 2001 From: Pavel VomackaDate: Thu, 6 Apr 2017 16:15:47 +0200 Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. Marks the server cert in httpd NSS DB as trusted peer ('P,,') to avoid chicken and egg problem when it is needed to contact the OCSP responder when httpd is starting. https://pagure.io/freeipa/issue/6370 --- freeipa.spec.in | 1 + install/restart_scripts/restart_httpd | 14 +- ipaserver/install/httpinstance.py | 30 ++ ipaserver/install/server/upgrade.py | 24 4 files changed, 68 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index ee9a36b..24fc838 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -314,6 +314,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 +Requires: python-augeas Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index d168481..b661b82 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,11 +21,23 @@ import syslog import traceback +from ipalib import api from ipaplatform import services -from ipaserver.install import certs +from ipaplatform.paths import paths +from ipaserver.install import certs, installutils def _main(): + +api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) +api.finalize() + +db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) +nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") + +# Add trust flag which set certificate trusted for SSL connections. +db.trust_root_cert(nickname, "P,,") + syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 7898c53..72488cc 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -29,6 +29,7 @@ import locale import six +from augeas import Augeas from ipalib.install import certmonger from ipaserver.install import service @@ -153,6 +154,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) +self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -259,6 +261,31 @@ def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) +def enable_mod_nss_ocsp(self): +aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD) + +aug.set('/augeas/load/Httpd/lens', 'Httpd.lns') +aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF) +aug.load() + +path = os.path.join('/files', paths.HTTPD_NSS_CONF[1:], 'VirtualHost') + +ocsp_comment = aug.get( +'{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path)) +ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path)) + +if ocsp_dir is None and ocsp_comment is not None: +# Directive is missing, comment is present +aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path), +'NSSOCSP') +aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive') +elif ocsp_dir is None: +# Directive is missing and comment is missing +aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP") + +aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on') +aug.save() + def set_mod_nss_cipher_suite(self): ciphers = ','.join(NSS_CIPHER_SUITE) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False) @@ -351,6 +378,7 @@ def __setup_ssl(self): create=True)
[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 From 3c994f38a5dad38b89c57ecce0558059d4d39e65 Mon Sep 17 00:00:00 2001 From: Pavel VomackaDate: Thu, 6 Apr 2017 16:15:47 +0200 Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. Marks the server cert in httpd NSS DB as trusted peer ('P,,') to avoid chicken and egg problem when it is needed to contact the OCSP responder when httpd is starting. https://pagure.io/freeipa/issue/6370 --- freeipa.spec.in | 1 + install/restart_scripts/restart_httpd | 14 +- ipaserver/install/httpinstance.py | 30 ++ ipaserver/install/server/upgrade.py | 24 4 files changed, 68 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index ee9a36b..24fc838 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -314,6 +314,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 +Requires: python-augeas Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index d168481..b661b82 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,11 +21,23 @@ import syslog import traceback +from ipalib import api from ipaplatform import services -from ipaserver.install import certs +from ipaplatform.paths import paths +from ipaserver.install import certs, installutils def _main(): + +api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) +api.finalize() + +db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) +nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") + +# Add trust flag which set certificate trusted for SSL connections. +db.trust_root_cert(nickname, "P,,") + syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 7898c53..72488cc 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -29,6 +29,7 @@ import locale import six +from augeas import Augeas from ipalib.install import certmonger from ipaserver.install import service @@ -153,6 +154,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) +self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -259,6 +261,31 @@ def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) +def enable_mod_nss_ocsp(self): +aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD) + +aug.set('/augeas/load/Httpd/lens', 'Httpd.lns') +aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF) +aug.load() + +path = os.path.join('/files', paths.HTTPD_NSS_CONF[1:], 'VirtualHost') + +ocsp_comment = aug.get( +'{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path)) +ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path)) + +if ocsp_dir is None and ocsp_comment is not None: +# Directive is missing, comment is present +aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path), +'NSSOCSP') +aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive') +elif ocsp_dir is None: +# Directive is missing and comment is missing +aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP") + +aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on') +aug.save() + def set_mod_nss_cipher_suite(self): ciphers = ','.join(NSS_CIPHER_SUITE) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False) @@ -351,6 +378,7 @@ def __setup_ssl(self): create=True)
[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 From 2da6692288d276e199f3d4d92a69fd59f31ff138 Mon Sep 17 00:00:00 2001 From: Pavel VomackaDate: Thu, 6 Apr 2017 16:15:47 +0200 Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. Marks the server cert in httpd NSS DB as trusted peer ('P,,') to avoid chicken and egg problem when it is needed to contact the OCSP responder when httpd is starting. https://pagure.io/freeipa/issue/6370 --- freeipa.spec.in | 1 + install/restart_scripts/restart_httpd | 14 +- ipaserver/install/httpinstance.py | 30 ++ ipaserver/install/server/upgrade.py | 24 4 files changed, 68 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index fbc67cb..9077734 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -306,6 +306,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 +Requires: python-augeas Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index d168481..b661b82 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,11 +21,23 @@ import syslog import traceback +from ipalib import api from ipaplatform import services -from ipaserver.install import certs +from ipaplatform.paths import paths +from ipaserver.install import certs, installutils def _main(): + +api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) +api.finalize() + +db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) +nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") + +# Add trust flag which set certificate trusted for SSL connections. +db.trust_root_cert(nickname, "P,,") + syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index aeb5c5e..f291580 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -29,6 +29,7 @@ import locale import six +from augeas import Augeas from ipalib.constants import IPAAPI_USER from ipalib.install import certmonger @@ -156,6 +157,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) +self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -263,6 +265,31 @@ def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) +def enable_mod_nss_ocsp(self): +aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD) + +aug.set('/augeas/load/Httpd/lens', 'Httpd.lens') +aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF) +aug.load() + +path = os.path.join('/files', paths.HTTPD_NSS_CONF[1:], 'VirtualHost') + +ocsp_comment = aug.get( +'{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path)) +ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path)) + +if ocsp_dir is None and ocsp_comment is not None: +# Directive is missing, comment is present +aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path), +'NSSOCSP') +aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive') +elif ocsp_dir is None: +# Directive is missing and comment is missing +aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP") + +aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on') +aug.save() + def set_mod_nss_cipher_suite(self): ciphers = ','.join(NSS_CIPHER_SUITE) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False) @@ -369,6 +396,7 @@ def __setup_ssl(self): create=True)
[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 From 96447296da8dd4ee565d9b5dcf5991e160e87091 Mon Sep 17 00:00:00 2001 From: Pavel VomackaDate: Thu, 6 Apr 2017 16:15:47 +0200 Subject: [PATCH 1/2] Turn on NSSOCSP check in mod_nss conf Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. Marks the server cert in httpd NSS DB as trusted peer ('P,,') to avoid chicken and egg problem when it is needed to contact the OCSP responder when httpd is starting. https://pagure.io/freeipa/issue/6370 --- freeipa.spec.in | 1 + install/restart_scripts/restart_httpd | 14 +- ipaserver/install/httpinstance.py | 19 +++ ipaserver/install/server/upgrade.py | 24 4 files changed, 57 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index fbc67cb..9077734 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -306,6 +306,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 +Requires: python-augeas Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index d168481..b661b82 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,11 +21,23 @@ import syslog import traceback +from ipalib import api from ipaplatform import services -from ipaserver.install import certs +from ipaplatform.paths import paths +from ipaserver.install import certs, installutils def _main(): + +api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) +api.finalize() + +db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) +nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") + +# Add trust flag which set certificate trusted for SSL connections. +db.trust_root_cert(nickname, "P,,") + syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index aeb5c5e..90f918b 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -29,6 +29,7 @@ import locale import six +import augeas from ipalib.constants import IPAAPI_USER from ipalib.install import certmonger @@ -156,6 +157,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) +self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -263,6 +265,20 @@ def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) +def enable_mod_nss_ocsp(self): +aug = augeas.Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD) + +aug.set('/augeas/load/Httpd/lens', 'Httpd.lens') +aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF) +aug.load() + +path = os.path.join('/files', paths.HTTPD_NSS_CONF[1:], 'VirtualHost') + +aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path), 'NSSOCSP') +aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive') +aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on') +aug.save() + def set_mod_nss_cipher_suite(self): ciphers = ','.join(NSS_CIPHER_SUITE) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False) @@ -369,6 +385,7 @@ def __setup_ssl(self): create=True) self.disable_system_trust() self.create_password_conf() + if self.pkcs12_info: if self.ca_is_configured: trust_flags = 'CT,C,C' @@ -393,6 +410,8 @@ def __setup_ssl(self): self.__set_mod_nss_nickname(nickname) self.add_cert_to_service() +db.trust_root_cert(nickname, "P,,") + else: if not self.promote: ca_args = [ diff --git a/ipaserver/install/server/upgrade.py
[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 From d2a319e8aed6cc0510fb2b4395a8e37f487fa95c Mon Sep 17 00:00:00 2001 From: Pavel VomackaDate: Thu, 6 Apr 2017 16:15:47 +0200 Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. Marks the server cert in httpd NSS DB as trusted peer ('P,,') to avoid chicken and egg problem when it is needed to contact the OCSP responder when httpd is starting. https://pagure.io/freeipa/issue/6370 --- freeipa.spec.in | 1 + install/restart_scripts/restart_httpd | 14 +- ipaserver/install/httpinstance.py | 19 +++ ipaserver/install/server/upgrade.py | 24 4 files changed, 57 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index fbc67cb..9077734 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -306,6 +306,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 +Requires: python-augeas Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index d168481..b661b82 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,11 +21,23 @@ import syslog import traceback +from ipalib import api from ipaplatform import services -from ipaserver.install import certs +from ipaplatform.paths import paths +from ipaserver.install import certs, installutils def _main(): + +api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) +api.finalize() + +db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) +nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") + +# Add trust flag which set certificate trusted for SSL connections. +db.trust_root_cert(nickname, "P,,") + syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index aeb5c5e..aefb9dc 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -29,6 +29,7 @@ import locale import six +import augeas from ipalib.constants import IPAAPI_USER from ipalib.install import certmonger @@ -156,6 +157,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) +self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -263,6 +265,20 @@ def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) +def enable_mod_nss_ocsp(self): +aug = augeas.Augeas() +ocsp_path = os.path.join('/files', + paths.HTTPD_NSS_CONF[1:], + 'VirtualHost') +aug.set( +'{path}/#comment[. =~ regexp("NSSOCSP .*")]'.format(path=ocsp_path), +'NSSOCSP') +aug.rename('{path}/#comment[. = "NSSOCSP"]'.format(path=ocsp_path), + 'directive') +aug.set('{path}/directive[. = "NSSOCSP"]/arg'.format(path=ocsp_path), +'on') +aug.save() + def set_mod_nss_cipher_suite(self): ciphers = ','.join(NSS_CIPHER_SUITE) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False) @@ -369,6 +385,7 @@ def __setup_ssl(self): create=True) self.disable_system_trust() self.create_password_conf() + if self.pkcs12_info: if self.ca_is_configured: trust_flags = 'CT,C,C' @@ -393,6 +410,8 @@ def __setup_ssl(self): self.__set_mod_nss_nickname(nickname) self.add_cert_to_service() +db.trust_root_cert(nickname, "P,,") + else: if not self.promote: ca_args = [ diff --git a/ipaserver/install/server/upgrade.py
[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 From dcd894bf135d37ed647a244f415b7a55cbe10412 Mon Sep 17 00:00:00 2001 From: Pavel VomackaDate: Thu, 6 Apr 2017 16:15:47 +0200 Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. https://pagure.io/freeipa/issue/6370 --- freeipa.spec.in | 1 + install/restart_scripts/restart_httpd | 13 - ipaserver/install/httpinstance.py | 18 ++ ipaserver/install/server/upgrade.py | 12 +++- 4 files changed, 42 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index fbc67cb..9077734 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -306,6 +306,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 +Requires: python-augeas Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index d168481..f10544c 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,11 +21,22 @@ import syslog import traceback +from ipalib import api from ipaplatform import services -from ipaserver.install import certs +from ipaplatform.paths import paths +from ipaserver.install import certs, installutils def _main(): + +api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) +api.finalize() + +db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) +nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") + +db.trust_root_cert(nickname, "P,,") + syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index aeb5c5e..2844d19 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -29,6 +29,7 @@ import locale import six +import augeas from ipalib.constants import IPAAPI_USER from ipalib.install import certmonger @@ -156,6 +157,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) +self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -263,6 +265,19 @@ def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) +def enable_mod_nss_ocsp(self): +aug = augeas.Augeas() +ocsp_path = os.path.join('/files', + paths.HTTPD_NSS_CONF[1:], + 'VirtualHost') +ocsp = aug.get(os.path.join(ocsp_path, 'directive[. = "NSSOCSP"]/arg')) + +if ocsp is None: +aug.set(os.path.join(ocsp_path, 'directive[last()+1]'), 'NSSOCSP') + +aug.set(os.path.join(ocsp_path, 'directive[. = "NSSOCSP"]/arg'), 'on') +aug.save() + def set_mod_nss_cipher_suite(self): ciphers = ','.join(NSS_CIPHER_SUITE) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False) @@ -369,6 +384,7 @@ def __setup_ssl(self): create=True) self.disable_system_trust() self.create_password_conf() + if self.pkcs12_info: if self.ca_is_configured: trust_flags = 'CT,C,C' @@ -393,6 +409,8 @@ def __setup_ssl(self): self.__set_mod_nss_nickname(nickname) self.add_cert_to_service() +db.trust_root_cert(nickname, "P,,") + else: if not self.promote: ca_args = [ diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 927acb0..732f6b5 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1375,6 +1375,11 @@ def remove_ds_ra_cert(subject_base): def fix_trust_flags(): root_logger.info('[Fixing trust flags in %s]' % paths.HTTPD_ALIAS_DIR) +db =
[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 From 641a69736086a14743052c3c17200fe8a545d2a2 Mon Sep 17 00:00:00 2001 From: Pavel VomackaDate: Thu, 6 Apr 2017 16:15:47 +0200 Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. https://pagure.io/freeipa/issue/6370 --- freeipa.spec.in | 1 + install/restart_scripts/restart_httpd | 14 ++ ipaserver/install/httpinstance.py | 18 ++ ipaserver/install/server/upgrade.py | 14 -- 4 files changed, 45 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index fbc67cb..9077734 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -306,6 +306,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 +Requires: python-augeas Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index d168481..1d7615c 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,11 +21,25 @@ import syslog import traceback +from ipalib import api from ipaplatform import services +from ipaplatform.paths import paths from ipaserver.install import certs def _main(): + +api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) +api.finalize() + +db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) +server_certs = db.find_server_certs() +if len(server_certs) == 0: +raise RuntimeError("Could not find a suitable server cert.") + +nickname = server_certs[0][0] +db.trust_root_cert(nickname, "P,,") + syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index aeb5c5e..111392b 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -29,6 +29,7 @@ import locale import six +import augeas from ipalib.constants import IPAAPI_USER from ipalib.install import certmonger @@ -156,6 +157,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) +self.step("enabling mod_nss NSSOCSP", self.enable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -263,6 +265,19 @@ def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) +def enable_mod_nss_ocsp(self): +aug = augeas.Augeas() +ocsp_path = os.path.join('/files', + paths.HTTPD_NSS_CONF[1:], + 'VirtualHost') +ocsp = aug.get(os.path.join(ocsp_path, 'directive[. = "NSSOCSP"]/arg')) + +if ocsp is None: +aug.set(os.path.join(ocsp_path, 'directive[last()+1]'), 'NSSOCSP') + +aug.set(os.path.join(ocsp_path, 'directive[. = "NSSOCSP"]/arg'), 'on') +aug.save() + def set_mod_nss_cipher_suite(self): ciphers = ','.join(NSS_CIPHER_SUITE) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False) @@ -369,6 +384,7 @@ def __setup_ssl(self): create=True) self.disable_system_trust() self.create_password_conf() + if self.pkcs12_info: if self.ca_is_configured: trust_flags = 'CT,C,C' @@ -393,6 +409,8 @@ def __setup_ssl(self): self.__set_mod_nss_nickname(nickname) self.add_cert_to_service() +db.trust_root_cert(nickname, "P,,") + else: if not self.promote: ca_args = [ diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 927acb0..0f315a6 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1375,7 +1375,7 @@ def remove_ds_ra_cert(subject_base): def fix_trust_flags(): root_logger.info('[Fixing trust flags in %s]' %