diff options
| author | Rob Crittenden <rcrit@thor.greyoak.com> | 2009-07-23 12:16:56 -0400 |
|---|---|---|
| committer | Jason Gerard DeRose <jderose@redhat.com> | 2009-07-23 13:45:45 -0600 |
| commit | b382755feebc4f9a0cf0f985d84c81d57307e542 (patch) | |
| tree | eeed91973ff4d7ff3787da640b1f016d74a03b2b /ipaserver/install/certs.py | |
| parent | a9f70edb87c3d051199b44e65869ee13bee4a5bb (diff) | |
| download | freeipa-b382755feebc4f9a0cf0f985d84c81d57307e542.tar.gz freeipa-b382755feebc4f9a0cf0f985d84c81d57307e542.tar.xz freeipa-b382755feebc4f9a0cf0f985d84c81d57307e542.zip | |
No need to trust NSS built-in CA's, more specific regex for finding CA nickname
- Add some logging so we have a better idea of what happened if things fail
- Default to self-signed CA to trust if one is not found. This will fix
the self-signed CA case where certutil doesn't return untrusted CA's in
-O output.
- Remove unused httplib import
Signed-off-by: Jason Gerard DeRose <jderose@redhat.com>
Diffstat (limited to 'ipaserver/install/certs.py')
| -rw-r--r-- | ipaserver/install/certs.py | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 7a4a31290..c1b7a8089 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -23,7 +23,6 @@ import errno import tempfile import shutil import logging -import httplib import urllib import xml.dom.minidom import pwd @@ -590,15 +589,28 @@ class CertDB(object): chain = p.stdout.read() chain = chain.split("\n") - root_nickname = re.match('\ *"(.*)".*', chain[0]).groups()[0] + root_nickname = re.match('\ *"(.*)" \[.*', chain[0]).groups()[0] + + # Try to work around a change in the F-11 certutil where untrusted + # CA's are not shown in the chain. This will make a default IPA + # server installable. + if root_nickname is None and self.self_signed_ca: + return self.cacert_name return root_nickname def trust_root_cert(self, nickname): root_nickname = self.find_root_cert(nickname) - self.run_certutil(["-M", "-n", root_nickname, - "-t", "CT,CT,"]) + if root_nickname is None: + logging.debug("Unable to identify root certificate to trust. Continueing but things are likely to fail.") + return + + if root_nickname[:7] == "Builtin": + logging.debug("No need to add trust for built-in root CA's, skipping %s" % root_nickname) + else: + self.run_certutil(["-M", "-n", root_nickname, + "-t", "CT,CT,"]) def find_server_certs(self): p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir, |