diff options
author | Jan Cholasta <jcholast@redhat.com> | 2014-06-09 16:04:09 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-07-30 16:04:21 +0200 |
commit | d2bf0b8b540e4efdb5ef06a449310f9a04a2eb17 (patch) | |
tree | d9d95c32799bc4141f2d8bcda301624be413b51d | |
parent | 9d4eeeda55b397237af17392f3acb9542e126145 (diff) | |
download | freeipa-d2bf0b8b540e4efdb5ef06a449310f9a04a2eb17.tar.gz freeipa-d2bf0b8b540e4efdb5ef06a449310f9a04a2eb17.tar.xz freeipa-d2bf0b8b540e4efdb5ef06a449310f9a04a2eb17.zip |
Fix trust flags in HTTP and DS NSS databases.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-rw-r--r-- | install/tools/ipa-upgradeconfig | 31 | ||||
-rw-r--r-- | ipaserver/install/cainstance.py | 4 | ||||
-rw-r--r-- | ipaserver/install/certs.py | 22 | ||||
-rw-r--r-- | ipaserver/install/dsinstance.py | 7 | ||||
-rw-r--r-- | ipaserver/install/httpinstance.py | 7 |
5 files changed, 54 insertions, 17 deletions
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index c9ad0a67f..e24a6658c 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -37,7 +37,7 @@ import ipalib.util import ipalib.errors from ipaplatform import services from ipaplatform.tasks import tasks -from ipapython import ipautil, sysrestore, version +from ipapython import ipautil, sysrestore, version, certdb from ipapython.config import IPAOptionParser from ipapython.ipa_log_manager import * from ipapython import certmonger @@ -1052,6 +1052,26 @@ def remove_ds_ra_cert(subject_base): sysupgrade.set_upgrade_state('ds', 'remove_ra_cert', True) +def fix_trust_flags(service, **kwargs): + root_logger.info('[Fixing trust_flags in %s NSS database]' % service) + + if not api.env.enable_ra: + root_logger.info("CA is not enabled") + return + + if sysupgrade.get_upgrade_state(service, 'fix_trust_flags'): + root_logger.info("Trust flags already fixed") + return + + db = certs.CertDB(api.env.realm, **kwargs) + nickname = certdb.get_ca_nickname(api.env.realm) + cert = db.get_cert_from_db(nickname) + if cert: + db.trust_root_cert(nickname, 'CT,C,C') + + sysupgrade.set_upgrade_state(service, 'fix_trust_flags', True) + + def main(): """ Get some basics about the system. If getting those basics fail then @@ -1119,7 +1139,7 @@ def main(): sub_dict['CLONE']='#' if crl.lower() == 'true' else '' ds_serverid = dsinstance.realm_to_serverid(api.env.realm) - certmap_dir = dsinstance.config_dirname(ds_serverid) + ds_dirname = dsinstance.config_dirname(ds_serverid) upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + "ipa.conf") upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + "ipa-rewrite.conf") @@ -1127,7 +1147,7 @@ def main(): if subject_base: upgrade( sub_dict, - os.path.join(certmap_dir, "certmap.conf"), + os.path.join(ds_dirname, "certmap.conf"), os.path.join(ipautil.SHARE_DIR, "certmap.conf.template") ) upgrade_pki(ca, fstore) @@ -1145,12 +1165,17 @@ def main(): http.configure_selinux_for_httpd() http.change_mod_nss_port_from_http() + http.stop() + fix_trust_flags('http') + http.start() + ds = dsinstance.DsInstance() ds.configure_dirsrv_ccache() ds.stop(ds_serverid) fix_schema_file_syntax() remove_ds_ra_cert(subject_base) + fix_trust_flags('ds', nssdir=ds_dirname) ds.start(ds_serverid) uninstall_selfsign(ds, http) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 997281f92..a3f692d9d 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1043,10 +1043,12 @@ class CAInstance(service.Service): (rdn, subject_dn) = certs.get_cert_nickname(certlist[st:en+25]) if subject_dn == ca_dn: nick = get_ca_nickname(self.realm) + trust_flags = 'CT,C,C' else: nick = str(subject_dn) + trust_flags = ',,' self.__run_certutil( - ['-A', '-t', 'CT,C,C', '-n', nick, '-a', + ['-A', '-t', trust_flags, '-n', nick, '-a', '-i', chain_name] ) finally: diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index c9f038f56..d28f7a3c8 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -203,7 +203,7 @@ class NSSDatabase(object): root_nickname) else: if trust_flags is None: - trust_flags = 'CT,CT,' + trust_flags = 'C,,' try: self.run_certutil(["-M", "-n", root_nickname, "-t", trust_flags]) @@ -479,7 +479,7 @@ class CertDB(object): "-k", self.passwd_fname]) self.set_perms(self.pk12_fname) - def load_cacert(self, cacert_fname): + def load_cacert(self, cacert_fname, trust_flags='C,,'): """ Load all the certificates from a given file. It is assumed that this file creates CA certificates. @@ -496,9 +496,11 @@ class CertDB(object): (rdn, subject_dn) = get_cert_nickname(cert) if subject_dn == ca_dn: nick = get_ca_nickname(self.realm) + tf = trust_flags else: nick = str(subject_dn) - self.nssdb.add_single_pem_cert(nick, "CT,,C", cert) + tf = ',,' + self.nssdb.add_single_pem_cert(nick, tf, cert) except RuntimeError: break @@ -839,10 +841,10 @@ class CertDB(object): # a new certificate database. self.create_passwd_file(passwd) self.create_certdbs() - self.load_cacert(cacert_fname) + self.load_cacert(cacert_fname, 'CT,C,C') def create_from_pkcs12(self, pkcs12_fname, pkcs12_passwd, passwd=None, - ca_file=None): + ca_file=None, trust_flags=None): """Create a new NSS database using the certificates in a PKCS#12 file. pkcs12_fname: the filename of the PKCS#12 file @@ -864,19 +866,17 @@ class CertDB(object): raise RuntimeError("Could not find a suitable server cert in import in %s" % pkcs12_fname) if ca_file: - self.nssdb.import_pem_cert('CA', 'CT,CT,', ca_file) + self.nssdb.import_pem_cert('CA', ',,', ca_file) # We only handle one server cert nickname = server_certs[0][0] - ca_names = [name for name, flags - in self.nssdb.list_certs() if 'u' not in flags] + ca_names = self.find_root_cert(nickname)[:-1] if len(ca_names) == 0: raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname) - self.cacert_name = ca_names[0] - for ca in ca_names: - self.trust_root_cert(ca) + self.cacert_name = ca_names[-1] + self.trust_root_cert(self.cacert_name, trust_flags) self.create_pin_file() self.export_ca_cert(nickname, False) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 2a9f3b618..e503cb220 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -625,8 +625,13 @@ class DsInstance(service.Service): dirname = config_dirname(self.serverid) dsdb = certs.CertDB(self.realm, nssdir=dirname, subject_base=self.subject_base) if self.pkcs12_info: + if self.ca_is_configured: + trust_flags = 'CT,C,C' + else: + trust_flags = None dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], - ca_file=self.ca_file) + ca_file=self.ca_file, + trust_flags=trust_flags) server_certs = dsdb.find_server_certs() if len(server_certs) == 0: raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0]) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 3ca3bf77f..56f8a8910 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -269,8 +269,13 @@ class HTTPInstance(service.Service): db = certs.CertDB(self.realm, subject_base=self.subject_base) if self.pkcs12_info: + if api.env.enable_ra: + trust_flags = 'CT,C,C' + else: + trust_flags = None db.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], - passwd=None, ca_file=self.ca_file) + passwd=None, ca_file=self.ca_file, + trust_flags=trust_flags) server_certs = db.find_server_certs() if len(server_certs) == 0: raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0]) |