Re: [Freeipa-devel] [PATCHES] 0197-0205 Installing without a CA, with custom SSL certs

2013-03-28 Thread Jan Cholasta 

On 28.3.2013 12:20, Petr Viktorin wrote:

On 03/26/2013 04:48 PM, Petr Viktorin wrote:

[...]


This update adds a check for validity of the server cert's hostname,
using python-nss.



This is what I have found just by looking at the patches:


Patch 197:

"We names of files with pkcs12 pins to installers ..."

This sentence does not seem right to me.


Patch 198:

+if setup_ca:
+print "Be sure to back up the CA certificate stored in 
/etc/httpd/alias/cacert.p12"
+print "The password for this file is in 
/etc/httpd/alias/pwdfile.txt"


This is not the right message. This is the message for --selfsign.


Patch 204:

+http_cert_name =check_pkcs12(http_pkcs12_info, ca_file, host_name)

Missing space after equal sign.


More to come tomorrow, when I'm finished with testing.


Honza

--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 0197-0205 Installing without a CA, with custom SSL certs

2013-03-26 Thread Petr Viktorin 

On 03/22/2013 02:22 PM, Petr Viktorin wrote:
[...]


Design is now at: http://freeipa.org/page/V3/CA-less_install

Patch 199 deferred to https://fedorahosted.org/freeipa/ticket/3529

Updated patches attached.


Orion Poplawski found a bug in the patches: the CA cert wasn't loaded 
into the server NSS databases, making install fail with PKCS#12 files 
that only contain the server cert. This additional patch fixes that.


Note that certs for any *intermediate* CAs must be in the PKCS#12 file; 
only the root CA may be missing. So this is mainly for cases where the 
server cert is signed directly by the root CA.


Thanks for testing!

--
PetrĀ³

From 6c3c6dfaa58d5d93bf8c9247b202ea052e85c501 Mon Sep 17 00:00:00 2001
From: Petr Viktorin 
Date: Tue, 26 Mar 2013 15:31:07 +0100
Subject: [PATCH] Load the CA cert into server NSS databases

The CA cert was not loaded, so if it was missing from the PKCS#12 file,
installation would fail.
Pass the cert filename to the server installers and include it in
the NSS DB.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
---
 install/tools/ipa-server-install  |  5 +++--
 ipaserver/install/certs.py|  8 +++-
 ipaserver/install/dsinstance.py   | 11 +++
 ipaserver/install/httpinstance.py |  6 --
 4 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index fe1f3aabe3d22cb94729bf230ccd52b8e8b5ef43..ee2126a2c36744072747ba62eab76f8726f85e82 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -1031,7 +1031,8 @@ def main():
 ds.create_instance(realm_name, host_name, domain_name,
 dm_password, dirsrv_pkcs12_info,
 subject_base=options.subject,
-hbac_allow=not options.hbac_allow)
+hbac_allow=not options.hbac_allow,
+ca_file=ca_file)
 else:
 ds = dsinstance.DsInstance(fstore=fstore)
 ds.create_instance(realm_name, host_name, domain_name,
@@ -1162,7 +1163,7 @@ def main():
 http.create_instance(
 realm_name, host_name, domain_name, dm_password, autoconfig=False,
 pkcs12_info=http_pkcs12_info, subject_base=options.subject,
-auto_redirect=options.ui_redirect)
+auto_redirect=options.ui_redirect, ca_file=ca_file)
 else:
 http.create_instance(
 realm_name, host_name, domain_name, dm_password, autoconfig=True,
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 65bb2579cee96b92da22ab5a52b81337d438f7dc..977cde0afa6ab6dd6398fa088f3cd63e96b98004 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -1119,25 +1119,31 @@ class CertDB(object):
 self.create_certdbs()
 self.load_cacert(cacert_fname)
 
-def create_from_pkcs12(self, pkcs12_fname, pkcs12_pwd_fname, passwd=None):
+def create_from_pkcs12(self, pkcs12_fname, pkcs12_pwd_fname, passwd=None,
+   ca_file=None):
 """Create a new NSS database using the certificates in a PKCS#12 file.
 
pkcs12_fname: the filename of the PKCS#12 file
pkcs12_pwd_fname: the file containing the pin for the PKCS#12 file
nickname: the nickname/friendly-name of the cert we are loading
passwd: The password to use for the new NSS database we are creating
 
The global CA may be added as well in case it wasn't included in the
PKCS#12 file. Extra certs won't hurt in any case.
+
+   The global CA may be specified in ca_file, as a PEM filename.
 """
 self.create_noise_file()
 self.create_passwd_file(passwd)
 self.create_certdbs()
 self.import_pkcs12(pkcs12_fname, pkcs12_pwd_fname)
 server_certs = self.find_server_certs()
 if len(server_certs) == 0:
 raise RuntimeError("Could not find a suitable server cert in import in %s" % pkcs12_fname)
 
+if ca_file:
+self.nssdb.import_pem_cert('CA', 'CT,CT,', ca_file)
+
 # We only handle one server cert
 nickname = server_certs[0][0]
 
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 38dc94e42381b3991b2211f8778c70a5d714fe96..3bc6df7eeacf3e8ebffcf83984cd6bb3e76bb67c 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -228,7 +228,8 @@ class DsInstance(service.Service):
 self.step("configuring directory to start on boot", self.__enable)
 
 def init_info(self, realm_name, fqdn, domain_name, dm_password,
-  self_signed_ca, subject_base, idstart, idmax, pkcs12_info):
+  self_signed_ca, subject_base, idstart, idmax, pkcs12_info,
+  ca_file=None):
 self.realm_name = realm_name.upper()
 self.serverid = realm_to_serverid