diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2014-06-12 17:20:19 +0200 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-07-30 16:04:21 +0200 |
| commit | 55d3bab57b83a32e8c0976902deea80236f387e7 (patch) | |
| tree | 7ba6e59743fb8d38f2429eba30b45a320a68a344 /ipa-client | |
| parent | 24932b2d91d3a32bc881d076562f9fe483a3d44e (diff) | |
| download | freeipa-55d3bab57b83a32e8c0976902deea80236f387e7.tar.gz freeipa-55d3bab57b83a32e8c0976902deea80236f387e7.tar.xz freeipa-55d3bab57b83a32e8c0976902deea80236f387e7.zip | |
Get CA certs for system-wide store from cert store in ipa-client-install.
All of the certificates and associated key policy are now stored in
/etc/pki/ca-trust/source/ipa.p11-kit.
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'ipa-client')
| -rwxr-xr-x | ipa-client/ipa-install/ipa-client-install | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index c9a1d524b..08fefc86d 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -771,7 +771,7 @@ def uninstall(options, env): 'as it can cause subsequent installation to fail.') # Remove the CA cert from the systemwide certificate store - tasks.remove_ca_cert_from_systemwide_ca_store(CACERT) + tasks.remove_ca_certs_from_systemwide_ca_store() # Remove the CA cert try: @@ -2545,9 +2545,6 @@ def install(options, env, fstore, statestore): return CLIENT_INSTALL_ERROR root_logger.info("Configured /etc/sssd/sssd.conf") - # Add the CA to the platform-dependant systemwide CA store - tasks.insert_ca_cert_into_systemwide_ca_store(CACERT) - host_principal = 'host/%s@%s' % (hostname, cli_realm) if options.on_master: # If on master assume kerberos is already configured properly. @@ -2649,6 +2646,13 @@ def install(options, env, fstore, statestore): if not remote_env['enable_ra']: disable_ra() + # Get CA certificates from the certificate store + ca_certs = get_certs_from_ldap(cli_server[0], cli_basedn, cli_realm, + remote_env['enable_ra']) + + # Add the CA to the platform-dependant systemwide CA store + tasks.insert_ca_certs_into_systemwide_ca_store(ca_certs) + # Add the CA to the default NSS database and trust it if not purge_ipa_certs(): root_logger.info( @@ -2662,8 +2666,6 @@ def install(options, env, fstore, statestore): root_logger.error("Failed to open /etc/pki/nssdb/ipa.txt: %s", e) return CLIENT_INSTALL_ERROR - ca_certs = get_certs_from_ldap(cli_server[0], cli_basedn, cli_realm, - remote_env['enable_ra']) for cert, nickname, trusted, ext_key_usage in ca_certs: try: root_logger.debug("Attempting to add CA directly to the " |