diff options
author | Jan Cholasta <jcholast@redhat.com> | 2014-11-10 16:24:22 +0000 |
---|---|---|
committer | Petr Viktorin <pviktori@dhcp-31-13.brq.redhat.com> | 2014-11-11 16:13:52 +0100 |
commit | 2639997dfee43d66e94ef9b5441289816c465e7d (patch) | |
tree | 6a945b35e5fe6473d4dbfa9d9f8dc195e54caa3e /ipaplatform | |
parent | 8248f696275e2e63dab860a25467e2868aa17036 (diff) | |
download | freeipa-2639997dfee43d66e94ef9b5441289816c465e7d.tar.gz freeipa-2639997dfee43d66e94ef9b5441289816c465e7d.tar.xz freeipa-2639997dfee43d66e94ef9b5441289816c465e7d.zip |
Fix CA certificate backup and restore
Backup and restore /etc/pki/ca-trust/source/ipa.p11-kit.
Create /etc/ipa/nssdb after restore if necessary.
https://fedorahosted.org/freeipa/ticket/4711
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'ipaplatform')
-rw-r--r-- | ipaplatform/base/paths.py | 2 | ||||
-rw-r--r-- | ipaplatform/base/tasks.py | 9 | ||||
-rw-r--r-- | ipaplatform/redhat/tasks.py | 43 |
3 files changed, 31 insertions, 23 deletions
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 01505594a..90dfdef0c 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -92,7 +92,7 @@ class BasePathNamespace(object): PAM_LDAP_CONF = "/etc/pam_ldap.conf" PASSWD = "/etc/passwd" ETC_PKI_CA_DIR = "/etc/pki-ca" - SYSTEMWIDE_CA_STORE = "/etc/pki/ca-trust/source/anchors/" + SYSTEMWIDE_IPA_CA_CRT = "/etc/pki/ca-trust/source/anchors/ipa-ca.crt" IPA_P11_KIT = "/etc/pki/ca-trust/source/ipa.p11-kit" NSS_DB_DIR = "/etc/pki/nssdb" PKI_TOMCAT = "/etc/pki/pki-tomcat" diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py index f2ba81f44..9b15119c4 100644 --- a/ipaplatform/base/tasks.py +++ b/ipaplatform/base/tasks.py @@ -55,6 +55,15 @@ class BaseTaskNamespace(object): return + def reload_systemwide_ca_store(self): + """ + Reloads the systemwide CA store. + + Returns True if the operation succeeded, False otherwise. + """ + + return True + def insert_ca_certs_into_systemwide_ca_store(self, ca_certs): """ Adds CA certificates from 'ca_certs' to the systemwide CA store diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py index 0386f7f9c..cb0a27f73 100644 --- a/ipaplatform/redhat/tasks.py +++ b/ipaplatform/redhat/tasks.py @@ -161,8 +161,19 @@ class RedHatTaskNamespace(BaseTaskNamespace): auth_config.add_option("nostart") auth_config.execute() + def reload_systemwide_ca_store(self): + try: + ipautil.run([paths.UPDATE_CA_TRUST]) + except CalledProcessError, e: + root_logger.error( + "Could not update systemwide CA trust database: %s", e) + return False + else: + root_logger.info("Systemwide CA database updated.") + return True + def insert_ca_certs_into_systemwide_ca_store(self, ca_certs): - new_cacert_path = os.path.join(paths.SYSTEMWIDE_CA_STORE, 'ipa-ca.crt') + new_cacert_path = paths.SYSTEMWIDE_IPA_CA_CRT if os.path.exists(new_cacert_path): try: @@ -251,24 +262,18 @@ class RedHatTaskNamespace(BaseTaskNamespace): f.close() # Add the CA to the systemwide CA trust database - try: - ipautil.run([paths.UPDATE_CA_TRUST]) - except CalledProcessError, e: - root_logger.info("Failed to add CA to the systemwide " - "CA trust database: %s" % str(e)) - else: - root_logger.info('Added the CA to the systemwide CA trust ' - 'database.') - return True + if not self.reload_systemwide_ca_store(): + return False - return False + return True def remove_ca_certs_from_systemwide_ca_store(self): - ipa_ca_crt = os.path.join(paths.SYSTEMWIDE_CA_STORE, 'ipa-ca.crt') + result = True update = False # Remove CA cert from systemwide store - for new_cacert_path in (paths.IPA_P11_KIT, ipa_ca_crt): + for new_cacert_path in (paths.IPA_P11_KIT, + paths.SYSTEMWIDE_IPA_CA_CRT): if not os.path.exists(new_cacert_path): continue try: @@ -276,21 +281,15 @@ class RedHatTaskNamespace(BaseTaskNamespace): except OSError, e: root_logger.error( "Could not remove %s: %s", new_cacert_path, e) + result = False else: update = True if update: - try: - ipautil.run([paths.UPDATE_CA_TRUST]) - except CalledProcessError, e: - root_logger.error( - "Could not update systemwide CA trust database: %s", e) + if not self.reload_systemwide_ca_store(): return False - else: - root_logger.info("Systemwide CA database updated.") - return True - return False + return result def backup_and_replace_hostname(self, fstore, statestore, hostname): old_hostname = socket.gethostname() |