diff options
author | Jan Cholasta <jcholast@redhat.com> | 2014-09-17 15:04:11 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-09-30 10:01:38 +0200 |
commit | 734afdf936913726b0310ca1d24731b1bdf1b5bd (patch) | |
tree | 8e7b3a0d2fbaf920882c773f3621bea494c8d938 /ipaplatform/fedora | |
parent | 4e680467517365caca596244ffc86e69037bde83 (diff) | |
download | freeipa-734afdf936913726b0310ca1d24731b1bdf1b5bd.tar.gz freeipa-734afdf936913726b0310ca1d24731b1bdf1b5bd.tar.xz freeipa-734afdf936913726b0310ca1d24731b1bdf1b5bd.zip |
Remove ipa-ca.crt from systemwide CA store on client uninstall and cert update
The file was used by previous versions of IPA to provide the IPA CA certificate
to p11-kit and has since been obsoleted by ipa.p11-kit, a file which contains
all the CA certificates and associated trust policy from the LDAP certificate
store.
Since p11-kit is hooked into /etc/httpd/alias, ipa-ca.crt must be removed to
prevent certificate import failures in installer code.
Also add ipa.p11-kit to the files owned by the freeipa-python package.
https://fedorahosted.org/freeipa/ticket/3259
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'ipaplatform/fedora')
-rw-r--r-- | ipaplatform/fedora/tasks.py | 38 |
1 files changed, 28 insertions, 10 deletions
diff --git a/ipaplatform/fedora/tasks.py b/ipaplatform/fedora/tasks.py index 9f4a76b82..351f523c1 100644 --- a/ipaplatform/fedora/tasks.py +++ b/ipaplatform/fedora/tasks.py @@ -158,6 +158,16 @@ class FedoraTaskNamespace(BaseTaskNamespace): auth_config.execute() def insert_ca_certs_into_systemwide_ca_store(self, ca_certs): + new_cacert_path = os.path.join(paths.SYSTEMWIDE_CA_STORE, 'ipa-ca.crt') + + if os.path.exists(new_cacert_path): + try: + os.remove(new_cacert_path) + except OSError, e: + root_logger.error( + "Could not remove %s: %s", new_cacert_path, e) + return False + new_cacert_path = paths.IPA_P11_KIT try: @@ -250,25 +260,33 @@ class FedoraTaskNamespace(BaseTaskNamespace): return False def remove_ca_certs_from_systemwide_ca_store(self): - new_cacert_path = paths.IPA_P11_KIT + ipa_ca_crt = os.path.join(paths.SYSTEMWIDE_CA_STORE, 'ipa-ca.crt') + update = False # Remove CA cert from systemwide store - if os.path.exists(new_cacert_path): + for new_cacert_path in (paths.IPA_P11_KIT, ipa_ca_crt): + if not os.path.exists(new_cacert_path): + continue try: os.remove(new_cacert_path) - ipautil.run([paths.UPDATE_CA_TRUST]) except OSError, e: - root_logger.error('Could not remove: %s, %s' - % (new_cacert_path, str(e))) - return False + root_logger.error( + "Could not remove %s: %s", new_cacert_path, e) + else: + update = True + + if update: + try: + ipautil.run([paths.UPDATE_CA_TRUST]) except CalledProcessError, e: - root_logger.error('Could not update systemwide CA trust ' - 'database: %s' % str(e)) + root_logger.error( + "Could not update systemwide CA trust database: %s", e) return False else: - root_logger.info('Systemwide CA database updated.') + root_logger.info("Systemwide CA database updated.") + return True - return True + return False def backup_and_replace_hostname(self, fstore, statestore, hostname): old_hostname = socket.gethostname() |