Re: [Freeipa-devel] [PATCHES] 349-350 Add ipa-client-install switch --request-cert to request cert for the host
On 8.10.2014 10:38, Jan Cholasta wrote: Hi, the attached patches fix https://fedorahosted.org/freeipa/ticket/4550. Honza Works fine. Just minor ones: 1. The new option deserves a 'help' text. basic_group.add_option(--request-cert, dest=request_cert, action=store_true, default=False) 2. Typo: 'A RA is not' -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 349-350 Add ipa-client-install switch --request-cert to request cert for the host
Dne 16.10.2014 v 16:28 Petr Vobornik napsal(a): On 8.10.2014 10:38, Jan Cholasta wrote: Hi, the attached patches fix https://fedorahosted.org/freeipa/ticket/4550. Honza Works fine. Just minor ones: 1. The new option deserves a 'help' text. basic_group.add_option(--request-cert, dest=request_cert, action=store_true, default=False) Good point, will fix. 2. Typo: 'A RA is not' Not a typo, it was reverted from https://git.fedorahosted.org/cgit/freeipa.git/commit/?h=ipa-4-1id=058c1f453c4e2df38eec57ba605cd5dc492eb978 and has been around since https://git.fedorahosted.org/cgit/freeipa.git/commit/?h=ipa-4-1id=67c7bd3060461f0050640aca682da155e667875b. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 349-350 Add ipa-client-install switch --request-cert to request cert for the host
Dne 16.10.2014 v 17:29 Jan Cholasta napsal(a): Dne 16.10.2014 v 16:28 Petr Vobornik napsal(a): On 8.10.2014 10:38, Jan Cholasta wrote: Hi, the attached patches fix https://fedorahosted.org/freeipa/ticket/4550. Honza Works fine. Just minor ones: 1. The new option deserves a 'help' text. basic_group.add_option(--request-cert, dest=request_cert, action=store_true, default=False) Good point, will fix. 2. Typo: 'A RA is not' Not a typo, it was reverted from https://git.fedorahosted.org/cgit/freeipa.git/commit/?h=ipa-4-1id=058c1f453c4e2df38eec57ba605cd5dc492eb978 and has been around since https://git.fedorahosted.org/cgit/freeipa.git/commit/?h=ipa-4-1id=67c7bd3060461f0050640aca682da155e667875b. Updated rebased patches attached. -- Jan Cholasta From d79850e08cbfe8fc3954313bc53049b602140bfc Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 8 Oct 2014 10:27:25 +0200 Subject: [PATCH 1/2] Fix certmonger.request_cert https://fedorahosted.org/freeipa/ticket/4550 --- ipapython/certmonger.py | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py index dc6cff9..ac095f0 100644 --- a/ipapython/certmonger.py +++ b/ipapython/certmonger.py @@ -254,9 +254,14 @@ def request_cert(nssdb, nickname, subject, principal, passwd_fname=None): Execute certmonger to request a server certificate. cm = _connect_to_certmonger() +ca_path = cm.obj_if.find_ca_by_nickname('IPA') +if not ca_path: +raise RuntimeError('IPA CA not found') request_parameters = dict(KEY_STORAGE='NSSDB', CERT_STORAGE='NSSDB', CERT_LOCATION=nssdb, CERT_NICKNAME=nickname, - SUBJECT=subject, PRINCIPAL=principal,) + KEY_LOCATION=nssdb, KEY_NICKNAME=nickname, + SUBJECT=subject, PRINCIPAL=[principal], + CA=ca_path) if passwd_fname: request_parameters['KEY_PIN_FILE'] = passwd_fname result = cm.obj_if.add_request(request_parameters) -- 1.9.3 From 0b2f44fbef89e2d0998b57bb423841771a6e1955 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 7 Oct 2014 19:07:13 +0200 Subject: [PATCH 2/2] Add ipa-client-install switch --request-cert to request cert for the host The certificate is stored in /etc/ipa/nssdb under the nickname Local IPA host. https://fedorahosted.org/freeipa/ticket/4550 --- ipa-client/ipa-install/ipa-client-install | 105 ++ ipa-client/man/ipa-client-install.1 | 4 ++ 2 files changed, 97 insertions(+), 12 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 2e59df9..3b6e581 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -74,8 +74,6 @@ SSH_AUTHORIZEDKEYSCOMMAND = paths.SSS_SSH_AUTHORIZEDKEYS SSH_PROXYCOMMAND = paths.SSS_SSH_KNOWNHOSTSPROXY SSH_KNOWNHOSTSFILE = paths.SSSD_PUBCONF_KNOWN_HOSTS -client_nss_nickname_format = 'IPA Machine Certificate - %s' - def parse_options(): def validate_ca_cert_file_option(option, opt, value, parser): if not os.path.exists(value): @@ -158,6 +156,9 @@ def parse_options(): basic_group.add_option(--ca-cert-file, dest=ca_cert_file, type=string, action=callback, callback=validate_ca_cert_file_option, help=load the CA certificate from this file) +basic_group.add_option(--request-cert, dest=request_cert, + action=store_true, default=False, + help=request certificate for the machine) # --on-master is used in ipa-server-install and ipa-replica-install # only, it isn't meant to be used on clients. basic_group.add_option(--on-master, dest=on_master, action=store_true, @@ -482,11 +483,11 @@ def uninstall(options, env): if hostname is None: hostname = socket.getfqdn() -client_nss_nickname = client_nss_nickname_format % hostname +ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR) +sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR) # Always start certmonger. We can't untrack something if it isn't -# running. Note that this is legacy code to untrack any certificates -# that were created by previous versions of this installer. +# running messagebus = services.knownservices.messagebus try: messagebus.start() @@ -499,14 +500,24 @@ def uninstall(options, env): except Exception, e: log_service_error(cmonger.service_name, 'start', e) -try: -certmonger.stop_tracking(paths.NSS_DB_DIR, nickname=client_nss_nickname) -except (CalledProcessError, RuntimeError), e: -root_logger.error(%s failed to stop tracking certificate: %s, -cmonger.service_name, str(e)) +if
Re: [Freeipa-devel] [PATCHES] 349-350 Add ipa-client-install switch --request-cert to request cert for the host
On 16.10.2014 17:47, Jan Cholasta wrote: Dne 16.10.2014 v 17:29 Jan Cholasta napsal(a): Dne 16.10.2014 v 16:28 Petr Vobornik napsal(a): On 8.10.2014 10:38, Jan Cholasta wrote: Hi, the attached patches fix https://fedorahosted.org/freeipa/ticket/4550. Honza Updated rebased patches attached. ACK pushed to master: * 4333a623da4190a7e59e7397159e8200d131904b Fix certmonger.request_cert * ca7e0c270f5e3b685fd2fbe34b676e85c373c5d0 Add ipa-client-install switch --request-cert to request cert for the host ipa-4-1: * 68a36a28045a39afa1131f19e0298a828a367ee5 Fix certmonger.request_cert * b5f9d40dba05ebfdc3f635d5016bd28a5a03ce63 Add ipa-client-install switch --request-cert to request cert for the host -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES] 349-350 Add ipa-client-install switch --request-cert to request cert for the host
Hi, the attached patches fix https://fedorahosted.org/freeipa/ticket/4550. Honza -- Jan Cholasta From 001f7bbc7010f106986f19d5040b272a13aa8ba8 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 8 Oct 2014 10:27:25 +0200 Subject: [PATCH 1/2] Fix certmonger.request_cert https://fedorahosted.org/freeipa/ticket/4550 --- ipapython/certmonger.py | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py index bcfafda..05071a0 100644 --- a/ipapython/certmonger.py +++ b/ipapython/certmonger.py @@ -253,9 +253,12 @@ def request_cert(nssdb, nickname, subject, principal, passwd_fname=None): Execute certmonger to request a server certificate. cm = _connect_to_certmonger() +ca_path = cm.obj_if.find_ca_by_nickname('IPA') request_parameters = dict(KEY_STORAGE='NSSDB', CERT_STORAGE='NSSDB', CERT_LOCATION=nssdb, CERT_NICKNAME=nickname, - SUBJECT=subject, PRINCIPAL=principal,) + KEY_LOCATION=nssdb, KEY_NICKNAME=nickname, + SUBJECT=subject, PRINCIPAL=[principal], + CA=ca_path) if passwd_fname: request_parameters['KEY_PIN_FILE'] = passwd_fname result = cm.obj_if.add_request(request_parameters) -- 1.9.3 From 993d4393388df2b4f0cad83ce5e1093b5c783e78 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 7 Oct 2014 19:07:13 +0200 Subject: [PATCH 2/2] Add ipa-client-install switch --request-cert to request cert for the host The certificate is stored in /etc/ipa/nssdb under the nickname Local IPA host. https://fedorahosted.org/freeipa/ticket/4550 --- ipa-client/ipa-install/ipa-client-install | 104 ++ ipa-client/man/ipa-client-install.1 | 4 ++ 2 files changed, 96 insertions(+), 12 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 2e59df9..9584ba4 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -74,8 +74,6 @@ SSH_AUTHORIZEDKEYSCOMMAND = paths.SSS_SSH_AUTHORIZEDKEYS SSH_PROXYCOMMAND = paths.SSS_SSH_KNOWNHOSTSPROXY SSH_KNOWNHOSTSFILE = paths.SSSD_PUBCONF_KNOWN_HOSTS -client_nss_nickname_format = 'IPA Machine Certificate - %s' - def parse_options(): def validate_ca_cert_file_option(option, opt, value, parser): if not os.path.exists(value): @@ -158,6 +156,8 @@ def parse_options(): basic_group.add_option(--ca-cert-file, dest=ca_cert_file, type=string, action=callback, callback=validate_ca_cert_file_option, help=load the CA certificate from this file) +basic_group.add_option(--request-cert, dest=request_cert, + action=store_true, default=False) # --on-master is used in ipa-server-install and ipa-replica-install # only, it isn't meant to be used on clients. basic_group.add_option(--on-master, dest=on_master, action=store_true, @@ -482,11 +482,11 @@ def uninstall(options, env): if hostname is None: hostname = socket.getfqdn() -client_nss_nickname = client_nss_nickname_format % hostname +ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR) +sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR) # Always start certmonger. We can't untrack something if it isn't -# running. Note that this is legacy code to untrack any certificates -# that were created by previous versions of this installer. +# running messagebus = services.knownservices.messagebus try: messagebus.start() @@ -499,14 +499,24 @@ def uninstall(options, env): except Exception, e: log_service_error(cmonger.service_name, 'start', e) -try: -certmonger.stop_tracking(paths.NSS_DB_DIR, nickname=client_nss_nickname) -except (CalledProcessError, RuntimeError), e: -root_logger.error(%s failed to stop tracking certificate: %s, -cmonger.service_name, str(e)) +if ipa_db.has_nickname('Local IPA host'): +try: +certmonger.stop_tracking(paths.IPA_NSSDB_DIR, + nickname='Local IPA host') +except RuntimeError, e: +root_logger.error(%s failed to stop tracking certificate: %s, + cmonger.service_name, e) + +client_nss_nickname = 'IPA Machine Certificate - %s' % hostname +if sys_db.has_nickname(client_nss_nickname): +try: +certmonger.stop_tracking(paths.NSS_DB_DIR, + nickname=client_nss_nickname) +except RuntimeError, e: +root_logger.error(%s failed to stop tracking certificate: %s, + cmonger.service_name, e) # Remove our host cert and CA cert -ipa_db =