Re: [Freeipa-devel] [PATCHES] 349-350 Add ipa-client-install switch --request-cert to request cert for the host

2014-10-16 Thread Petr Vobornik 

On 8.10.2014 10:38, Jan Cholasta wrote:

Hi,

the attached patches fix https://fedorahosted.org/freeipa/ticket/4550.

Honza



Works fine. Just minor ones:

1. The new option deserves a 'help' text.

basic_group.add_option(--request-cert, dest=request_cert,
   action=store_true, default=False)


2. Typo: 'A RA is not'
--
Petr Vobornik

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 349-350 Add ipa-client-install switch --request-cert to request cert for the host

2014-10-16 Thread Jan Cholasta 

Dne 16.10.2014 v 16:28 Petr Vobornik napsal(a):

On 8.10.2014 10:38, Jan Cholasta wrote:

Hi,

the attached patches fix https://fedorahosted.org/freeipa/ticket/4550.

Honza



Works fine. Just minor ones:

1. The new option deserves a 'help' text.

basic_group.add_option(--request-cert, dest=request_cert,
action=store_true, default=False)


Good point, will fix.




2. Typo: 'A RA is not'


Not a typo, it was reverted from 
https://git.fedorahosted.org/cgit/freeipa.git/commit/?h=ipa-4-1id=058c1f453c4e2df38eec57ba605cd5dc492eb978 
and has been around since 
https://git.fedorahosted.org/cgit/freeipa.git/commit/?h=ipa-4-1id=67c7bd3060461f0050640aca682da155e667875b.


--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 349-350 Add ipa-client-install switch --request-cert to request cert for the host

2014-10-16 Thread Jan Cholasta 

Dne 16.10.2014 v 17:29 Jan Cholasta napsal(a):

Dne 16.10.2014 v 16:28 Petr Vobornik napsal(a):

On 8.10.2014 10:38, Jan Cholasta wrote:

Hi,

the attached patches fix https://fedorahosted.org/freeipa/ticket/4550.

Honza



Works fine. Just minor ones:

1. The new option deserves a 'help' text.

basic_group.add_option(--request-cert, dest=request_cert,
action=store_true, default=False)


Good point, will fix.




2. Typo: 'A RA is not'


Not a typo, it was reverted from
https://git.fedorahosted.org/cgit/freeipa.git/commit/?h=ipa-4-1id=058c1f453c4e2df38eec57ba605cd5dc492eb978
and has been around since
https://git.fedorahosted.org/cgit/freeipa.git/commit/?h=ipa-4-1id=67c7bd3060461f0050640aca682da155e667875b.



Updated rebased patches attached.

--
Jan Cholasta
From d79850e08cbfe8fc3954313bc53049b602140bfc Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Wed, 8 Oct 2014 10:27:25 +0200
Subject: [PATCH 1/2] Fix certmonger.request_cert

https://fedorahosted.org/freeipa/ticket/4550
---
 ipapython/certmonger.py | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index dc6cff9..ac095f0 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -254,9 +254,14 @@ def request_cert(nssdb, nickname, subject, principal, passwd_fname=None):
 Execute certmonger to request a server certificate.
 
 cm = _connect_to_certmonger()
+ca_path = cm.obj_if.find_ca_by_nickname('IPA')
+if not ca_path:
+raise RuntimeError('IPA CA not found')
 request_parameters = dict(KEY_STORAGE='NSSDB', CERT_STORAGE='NSSDB',
   CERT_LOCATION=nssdb, CERT_NICKNAME=nickname,
-  SUBJECT=subject, PRINCIPAL=principal,)
+  KEY_LOCATION=nssdb, KEY_NICKNAME=nickname,
+  SUBJECT=subject, PRINCIPAL=[principal],
+  CA=ca_path)
 if passwd_fname:
 request_parameters['KEY_PIN_FILE'] = passwd_fname
 result = cm.obj_if.add_request(request_parameters)
-- 
1.9.3

From 0b2f44fbef89e2d0998b57bb423841771a6e1955 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 7 Oct 2014 19:07:13 +0200
Subject: [PATCH 2/2] Add ipa-client-install switch --request-cert to request
 cert for the host

The certificate is stored in /etc/ipa/nssdb under the nickname
Local IPA host.

https://fedorahosted.org/freeipa/ticket/4550
---
 ipa-client/ipa-install/ipa-client-install | 105 ++
 ipa-client/man/ipa-client-install.1   |   4 ++
 2 files changed, 97 insertions(+), 12 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 2e59df9..3b6e581 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -74,8 +74,6 @@ SSH_AUTHORIZEDKEYSCOMMAND = paths.SSS_SSH_AUTHORIZEDKEYS
 SSH_PROXYCOMMAND = paths.SSS_SSH_KNOWNHOSTSPROXY
 SSH_KNOWNHOSTSFILE = paths.SSSD_PUBCONF_KNOWN_HOSTS
 
-client_nss_nickname_format = 'IPA Machine Certificate - %s'
-
 def parse_options():
 def validate_ca_cert_file_option(option, opt, value, parser):
 if not os.path.exists(value):
@@ -158,6 +156,9 @@ def parse_options():
 basic_group.add_option(--ca-cert-file, dest=ca_cert_file,
type=string, action=callback, callback=validate_ca_cert_file_option,
help=load the CA certificate from this file)
+basic_group.add_option(--request-cert, dest=request_cert,
+   action=store_true, default=False,
+   help=request certificate for the machine)
 # --on-master is used in ipa-server-install and ipa-replica-install
 # only, it isn't meant to be used on clients.
 basic_group.add_option(--on-master, dest=on_master, action=store_true,
@@ -482,11 +483,11 @@ def uninstall(options, env):
 if hostname is None:
 hostname = socket.getfqdn()
 
-client_nss_nickname = client_nss_nickname_format % hostname
+ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
+sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
 
 # Always start certmonger. We can't untrack something if it isn't
-# running. Note that this is legacy code to untrack any certificates
-# that were created by previous versions of this installer.
+# running
 messagebus = services.knownservices.messagebus
 try:
 messagebus.start()
@@ -499,14 +500,24 @@ def uninstall(options, env):
 except Exception, e:
 log_service_error(cmonger.service_name, 'start', e)
 
-try:
-certmonger.stop_tracking(paths.NSS_DB_DIR, nickname=client_nss_nickname)
-except (CalledProcessError, RuntimeError), e:
-root_logger.error(%s failed to stop tracking certificate: %s,
-cmonger.service_name, str(e))
+if

Re: [Freeipa-devel] [PATCHES] 349-350 Add ipa-client-install switch --request-cert to request cert for the host

2014-10-16 Thread Petr Vobornik 

On 16.10.2014 17:47, Jan Cholasta wrote:

Dne 16.10.2014 v 17:29 Jan Cholasta napsal(a):

Dne 16.10.2014 v 16:28 Petr Vobornik napsal(a):

On 8.10.2014 10:38, Jan Cholasta wrote:

Hi,

the attached patches fix
https://fedorahosted.org/freeipa/ticket/4550.

Honza


Updated rebased patches attached.



ACK

pushed to

master:
* 4333a623da4190a7e59e7397159e8200d131904b Fix certmonger.request_cert
* ca7e0c270f5e3b685fd2fbe34b676e85c373c5d0 Add ipa-client-install switch 
--request-cert to request cert for the host

ipa-4-1:
* 68a36a28045a39afa1131f19e0298a828a367ee5 Fix certmonger.request_cert
* b5f9d40dba05ebfdc3f635d5016bd28a5a03ce63 Add ipa-client-install switch 
--request-cert to request cert for the host

--
Petr Vobornik

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCHES] 349-350 Add ipa-client-install switch --request-cert to request cert for the host

2014-10-08 Thread Jan Cholasta 

Hi,

the attached patches fix https://fedorahosted.org/freeipa/ticket/4550.

Honza

--
Jan Cholasta
From 001f7bbc7010f106986f19d5040b272a13aa8ba8 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Wed, 8 Oct 2014 10:27:25 +0200
Subject: [PATCH 1/2] Fix certmonger.request_cert

https://fedorahosted.org/freeipa/ticket/4550
---
 ipapython/certmonger.py | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index bcfafda..05071a0 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -253,9 +253,12 @@ def request_cert(nssdb, nickname, subject, principal, passwd_fname=None):
 Execute certmonger to request a server certificate.
 
 cm = _connect_to_certmonger()
+ca_path = cm.obj_if.find_ca_by_nickname('IPA')
 request_parameters = dict(KEY_STORAGE='NSSDB', CERT_STORAGE='NSSDB',
   CERT_LOCATION=nssdb, CERT_NICKNAME=nickname,
-  SUBJECT=subject, PRINCIPAL=principal,)
+  KEY_LOCATION=nssdb, KEY_NICKNAME=nickname,
+  SUBJECT=subject, PRINCIPAL=[principal],
+  CA=ca_path)
 if passwd_fname:
 request_parameters['KEY_PIN_FILE'] = passwd_fname
 result = cm.obj_if.add_request(request_parameters)
-- 
1.9.3

From 993d4393388df2b4f0cad83ce5e1093b5c783e78 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 7 Oct 2014 19:07:13 +0200
Subject: [PATCH 2/2] Add ipa-client-install switch --request-cert to request
 cert for the host

The certificate is stored in /etc/ipa/nssdb under the nickname
Local IPA host.

https://fedorahosted.org/freeipa/ticket/4550
---
 ipa-client/ipa-install/ipa-client-install | 104 ++
 ipa-client/man/ipa-client-install.1   |   4 ++
 2 files changed, 96 insertions(+), 12 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 2e59df9..9584ba4 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -74,8 +74,6 @@ SSH_AUTHORIZEDKEYSCOMMAND = paths.SSS_SSH_AUTHORIZEDKEYS
 SSH_PROXYCOMMAND = paths.SSS_SSH_KNOWNHOSTSPROXY
 SSH_KNOWNHOSTSFILE = paths.SSSD_PUBCONF_KNOWN_HOSTS
 
-client_nss_nickname_format = 'IPA Machine Certificate - %s'
-
 def parse_options():
 def validate_ca_cert_file_option(option, opt, value, parser):
 if not os.path.exists(value):
@@ -158,6 +156,8 @@ def parse_options():
 basic_group.add_option(--ca-cert-file, dest=ca_cert_file,
type=string, action=callback, callback=validate_ca_cert_file_option,
help=load the CA certificate from this file)
+basic_group.add_option(--request-cert, dest=request_cert,
+   action=store_true, default=False)
 # --on-master is used in ipa-server-install and ipa-replica-install
 # only, it isn't meant to be used on clients.
 basic_group.add_option(--on-master, dest=on_master, action=store_true,
@@ -482,11 +482,11 @@ def uninstall(options, env):
 if hostname is None:
 hostname = socket.getfqdn()
 
-client_nss_nickname = client_nss_nickname_format % hostname
+ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
+sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
 
 # Always start certmonger. We can't untrack something if it isn't
-# running. Note that this is legacy code to untrack any certificates
-# that were created by previous versions of this installer.
+# running
 messagebus = services.knownservices.messagebus
 try:
 messagebus.start()
@@ -499,14 +499,24 @@ def uninstall(options, env):
 except Exception, e:
 log_service_error(cmonger.service_name, 'start', e)
 
-try:
-certmonger.stop_tracking(paths.NSS_DB_DIR, nickname=client_nss_nickname)
-except (CalledProcessError, RuntimeError), e:
-root_logger.error(%s failed to stop tracking certificate: %s,
-cmonger.service_name, str(e))
+if ipa_db.has_nickname('Local IPA host'):
+try:
+certmonger.stop_tracking(paths.IPA_NSSDB_DIR,
+ nickname='Local IPA host')
+except RuntimeError, e:
+root_logger.error(%s failed to stop tracking certificate: %s,
+  cmonger.service_name, e)
+
+client_nss_nickname = 'IPA Machine Certificate - %s' % hostname
+if sys_db.has_nickname(client_nss_nickname):
+try:
+certmonger.stop_tracking(paths.NSS_DB_DIR,
+ nickname=client_nss_nickname)
+except RuntimeError, e:
+root_logger.error(%s failed to stop tracking certificate: %s,
+  cmonger.service_name, e)
 
 # Remove our host cert and CA cert
-ipa_db =