Re: [Freeipa-devel] [PATCH 540] cert renewal: import all external CA certs on IPA CA cert renewal

[Tomas Babej]

On 01/27/2016 02:53 PM, Jan Cholasta wrote:
> On 27.1.2016 14:41, Tomas Babej wrote:
>>
>>
>> On 01/27/2016 08:06 AM, Martin Babinsky wrote:
>>> On 01/25/2016 08:19 AM, Jan Cholasta wrote:
 On 22.1.2016 12:28, Jan Cholasta wrote:
> On 22.1.2016 10:34, Martin Babinsky wrote:
>> On 01/21/2016 10:27 AM, Jan Cholasta wrote:
>>> Hi,
>>>
>>> the attached patch fixes
>>> .
>>>
>>> Honza
>>>
>>>
>>>
>> ACK
>
> Self-NACK. Doesn't work with external CA install.
>

 Updated patches attached.

>>> ACK
>>>
>>
>> Pushed to master: eaafeddf769c25bd44b490ae18ffb58e97df4963
>> Pushed to ipa-4-2: 2314fa66fd7fe543209292660d4f7f9611cdedb2
> 
> It seems you forgot ipa-4-3.
> 

Yep, thanks. Pushed to ipa-4-3: 659c5ae7e649c1f03ac9f93c1b5369f037811d7d

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 540] cert renewal: import all external CA certs on IPA CA cert renewal

[Jan Cholasta]

On 27.1.2016 14:41, Tomas Babej wrote:



On 01/27/2016 08:06 AM, Martin Babinsky wrote:

On 01/25/2016 08:19 AM, Jan Cholasta wrote:

On 22.1.2016 12:28, Jan Cholasta wrote:

On 22.1.2016 10:34, Martin Babinsky wrote:

On 01/21/2016 10:27 AM, Jan Cholasta wrote:

Hi,

the attached patch fixes
.

Honza




ACK


Self-NACK. Doesn't work with external CA install.



Updated patches attached.


ACK



Pushed to master: eaafeddf769c25bd44b490ae18ffb58e97df4963
Pushed to ipa-4-2: 2314fa66fd7fe543209292660d4f7f9611cdedb2


It seems you forgot ipa-4-3.

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 540] cert renewal: import all external CA certs on IPA CA cert renewal

[Tomas Babej]

On 01/27/2016 08:06 AM, Martin Babinsky wrote:
> On 01/25/2016 08:19 AM, Jan Cholasta wrote:
>> On 22.1.2016 12:28, Jan Cholasta wrote:
>>> On 22.1.2016 10:34, Martin Babinsky wrote:
 On 01/21/2016 10:27 AM, Jan Cholasta wrote:
> Hi,
>
> the attached patch fixes
> .
>
> Honza
>
>
>
 ACK
>>>
>>> Self-NACK. Doesn't work with external CA install.
>>>
>>
>> Updated patches attached.
>>
> ACK
> 

Pushed to master: eaafeddf769c25bd44b490ae18ffb58e97df4963
Pushed to ipa-4-2: 2314fa66fd7fe543209292660d4f7f9611cdedb2

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 540] cert renewal: import all external CA certs on IPA CA cert renewal

[Martin Babinsky]

On 01/25/2016 08:19 AM, Jan Cholasta wrote:

On 22.1.2016 12:28, Jan Cholasta wrote:

On 22.1.2016 10:34, Martin Babinsky wrote:

On 01/21/2016 10:27 AM, Jan Cholasta wrote:

Hi,

the attached patch fixes
.

Honza




ACK


Self-NACK. Doesn't work with external CA install.



Updated patches attached.


ACK

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 540] cert renewal: import all external CA certs on IPA CA cert renewal

[Jan Cholasta]

On 22.1.2016 12:28, Jan Cholasta wrote:

On 22.1.2016 10:34, Martin Babinsky wrote:

On 01/21/2016 10:27 AM, Jan Cholasta wrote:

Hi,

the attached patch fixes .

Honza




ACK


Self-NACK. Doesn't work with external CA install.



Updated patches attached.

--
Jan Cholasta
From e2419fe2190cf1da3b291882ba82b4ffde6ad46a Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 21 Jan 2016 08:58:56 +0100
Subject: [PATCH] cert renewal: import all external CA certs on IPA CA cert
 renewal

Import all external CA certs to the Dogtag NSS database on IPA CA cert
renewal. This fixes Dogtag not being able to connect to DS which uses 3rd
party server cert after ipa-certupdate.

https://fedorahosted.org/freeipa/ticket/5595
---
 install/restart_scripts/renew_ca_cert | 28 +---
 1 file changed, 9 insertions(+), 19 deletions(-)

diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index 5f86468..bfb726c 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -28,7 +28,6 @@ import shutil
 import traceback
 
 from ipapython import ipautil
-from ipapython.dn import DN
 from ipalib import api, errors, x509, certstore
 from ipaserver.install import certs, cainstance, installutils
 from ipaserver.plugins.ldap2 import ldap2
@@ -155,11 +154,9 @@ def _main():
 "Updating CA certificate failed: %s" % e)
 
 # Add external CA certificates
-ca_issuer = str(x509.get_issuer(cert, x509.DER))
 try:
-ca_certs = certstore.get_ca_certs(
-conn, api.env.basedn, api.env.realm, False,
-filter_subject=ca_issuer)
+ca_certs = certstore.get_ca_certs_nss(
+conn, api.env.basedn, api.env.realm, False)
 except Exception as e:
 syslog.syslog(
 syslog.LOG_ERR,
@@ -167,25 +164,18 @@ def _main():
 "%s" % e)
 ca_certs = []
 
-for ca_cert, ca_nick, ca_trusted, ca_eku in ca_certs:
-ca_subject = DN(str(x509.get_subject(ca_cert, x509.DER)))
-nick_base = ' - '.join(rdn[-1].value for rdn in ca_subject)
-nick = nick_base
-i = 1
-while db.has_nickname(nick):
-nick = '%s [%s]' % (nick_base, i)
-i += 1
-if ca_trusted is False:
-flags = 'p,p,p'
-else:
-flags = 'CT,c,'
-
+for ca_cert, ca_nick, ca_flags in ca_certs:
 try:
-db.add_cert(ca_cert, nick, flags)
+db.add_cert(ca_cert, ca_nick, ca_flags)
 except ipautil.CalledProcessError as e:
 syslog.syslog(
 syslog.LOG_ERR,
 "Failed to add certificate %s" % ca_nick)
+
+# Pass Dogtag's self-tests
+for ca_nick in db.find_root_cert(nickname)[-2:-1]:
+ca_flags = dict(cc[1:] for cc in ca_certs)[ca_nick]
+db.trust_root_cert(ca_nick, 'C' + ca_flags)
 finally:
 if conn is not None and conn.isconnected():
 conn.disconnect()
-- 
2.5.0

From fef9b5d8b020178ac266acf274e72b95805420d3 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 21 Jan 2016 08:58:56 +0100
Subject: [PATCH] cert renewal: import all external CA certs on IPA CA cert
 renewal

Import all external CA certs to the Dogtag NSS database on IPA CA cert
renewal. This fixes Dogtag not being able to connect to DS which uses 3rd
party server cert after ipa-certupdate.

https://fedorahosted.org/freeipa/ticket/5595
---
 install/restart_scripts/renew_ca_cert | 28 +---
 1 file changed, 9 insertions(+), 19 deletions(-)

diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index 86f5765..92dc0e6 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -28,7 +28,6 @@ import shutil
 import traceback
 
 from ipapython import dogtag, ipautil
-from ipapython.dn import DN
 from ipalib import api, errors, x509, certstore
 from ipaserver.install import certs, cainstance, installutils
 from ipaserver.plugins.ldap2 import ldap2
@@ -158,11 +157,9 @@ def _main():
 "Updating CA certificate failed: %s" % e)
 
 # Add external CA certificates
-ca_issuer = str(x509.get_issuer(cert, x509.DER))
 try:
-ca_certs = certstore.get_ca_certs(
-conn, api.env.basedn, api.env.realm, False,
-

Re: [Freeipa-devel] [PATCH 540] cert renewal: import all external CA certs on IPA CA cert renewal

[Jan Cholasta]

On 22.1.2016 10:34, Martin Babinsky wrote:

On 01/21/2016 10:27 AM, Jan Cholasta wrote:

Hi,

the attached patch fixes .

Honza




ACK


Self-NACK. Doesn't work with external CA install.

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 540] cert renewal: import all external CA certs on IPA CA cert renewal

[Martin Babinsky]

On 01/21/2016 10:27 AM, Jan Cholasta wrote:

Hi,

the attached patch fixes .

Honza




ACK

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 540] cert renewal: import all external CA certs on IPA CA cert renewal

[Jan Cholasta]

Hi,

the attached patch fixes .

Honza

--
Jan Cholasta
From 0823cc7e740f993a63dd5a81fb1d6c59d557a542 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 21 Jan 2016 08:58:56 +0100
Subject: [PATCH] cert renewal: import all external CA certs on IPA CA cert
 renewal

Import all external CA certs to the Dogtag NSS database on IPA CA cert
renewal. This fixes Dogtag not being able to connect to DS which uses 3rd
party server cert after ipa-certupdate.

https://fedorahosted.org/freeipa/ticket/5595
---
 install/restart_scripts/renew_ca_cert | 21 +++--
 1 file changed, 3 insertions(+), 18 deletions(-)

diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index 5f86468..e990a3c 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -28,7 +28,6 @@ import shutil
 import traceback
 
 from ipapython import ipautil
-from ipapython.dn import DN
 from ipalib import api, errors, x509, certstore
 from ipaserver.install import certs, cainstance, installutils
 from ipaserver.plugins.ldap2 import ldap2
@@ -155,11 +154,9 @@ def _main():
 "Updating CA certificate failed: %s" % e)
 
 # Add external CA certificates
-ca_issuer = str(x509.get_issuer(cert, x509.DER))
 try:
-ca_certs = certstore.get_ca_certs(
-conn, api.env.basedn, api.env.realm, False,
-filter_subject=ca_issuer)
+ca_certs = certstore.get_ca_certs_nss(
+conn, api.env.basedn, api.env.realm, False)
 except Exception as e:
 syslog.syslog(
 syslog.LOG_ERR,
@@ -167,19 +164,7 @@ def _main():
 "%s" % e)
 ca_certs = []
 
-for ca_cert, ca_nick, ca_trusted, ca_eku in ca_certs:
-ca_subject = DN(str(x509.get_subject(ca_cert, x509.DER)))
-nick_base = ' - '.join(rdn[-1].value for rdn in ca_subject)
-nick = nick_base
-i = 1
-while db.has_nickname(nick):
-nick = '%s [%s]' % (nick_base, i)
-i += 1
-if ca_trusted is False:
-flags = 'p,p,p'
-else:
-flags = 'CT,c,'
-
+for ca_cert, nick, flags in ca_certs:
 try:
 db.add_cert(ca_cert, nick, flags)
 except ipautil.CalledProcessError as e:
-- 
2.5.0

From caffb10f2d4a75d02fbacfd11be44e92e0649ea7 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 21 Jan 2016 08:58:56 +0100
Subject: [PATCH] cert renewal: import all external CA certs on IPA CA cert
 renewal

Import all external CA certs to the Dogtag NSS database on IPA CA cert
renewal. This fixes Dogtag not being able to connect to DS which uses 3rd
party server cert after ipa-certupdate.

https://fedorahosted.org/freeipa/ticket/5595
---
 install/restart_scripts/renew_ca_cert | 21 +++--
 1 file changed, 3 insertions(+), 18 deletions(-)

diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index 86f5765..c3a5abd 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -28,7 +28,6 @@ import shutil
 import traceback
 
 from ipapython import dogtag, ipautil
-from ipapython.dn import DN
 from ipalib import api, errors, x509, certstore
 from ipaserver.install import certs, cainstance, installutils
 from ipaserver.plugins.ldap2 import ldap2
@@ -158,11 +157,9 @@ def _main():
 "Updating CA certificate failed: %s" % e)
 
 # Add external CA certificates
-ca_issuer = str(x509.get_issuer(cert, x509.DER))
 try:
-ca_certs = certstore.get_ca_certs(
-conn, api.env.basedn, api.env.realm, False,
-filter_subject=ca_issuer)
+ca_certs = certstore.get_ca_certs_nss(
+conn, api.env.basedn, api.env.realm, False)
 except Exception, e:
 syslog.syslog(
 syslog.LOG_ERR,
@@ -170,19 +167,7 @@ def _main():
 "%s" % e)
 ca_certs = []
 
-for ca_cert, ca_nick, ca_trusted, ca_eku in ca_certs:
-ca_subject = DN(str(x509.get_subject(ca_cert, x509.DER)))
-nick_base = ' - '.join(rdn[-1].value for rdn in ca_subject)
-nick = nick_base
-i = 1
-while db.has_nickname(nick):
-nick = '%s [%s]' % (nick_base, i)
-i += 1
-i