summaryrefslogtreecommitdiffstats
path: root/ipaserver
diff options
context:
space:
mode:
authorJan Cholasta <jcholast@redhat.com>2014-11-10 16:24:22 +0000
committerPetr Viktorin <pviktori@dhcp-31-13.brq.redhat.com>2014-11-11 16:13:52 +0100
commit2639997dfee43d66e94ef9b5441289816c465e7d (patch)
tree6a945b35e5fe6473d4dbfa9d9f8dc195e54caa3e /ipaserver
parent8248f696275e2e63dab860a25467e2868aa17036 (diff)
downloadfreeipa-2639997dfee43d66e94ef9b5441289816c465e7d.tar.gz
freeipa-2639997dfee43d66e94ef9b5441289816c465e7d.tar.xz
freeipa-2639997dfee43d66e94ef9b5441289816c465e7d.zip
Fix CA certificate backup and restore
Backup and restore /etc/pki/ca-trust/source/ipa.p11-kit. Create /etc/ipa/nssdb after restore if necessary. https://fedorahosted.org/freeipa/ticket/4711 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'ipaserver')
-rw-r--r--ipaserver/install/ipa_backup.py2
-rw-r--r--ipaserver/install/ipa_restore.py35
2 files changed, 36 insertions, 1 deletions
diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
index 34be5383d..682b626e5 100644
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -137,6 +137,8 @@ class Backup(admintool.AdminTool):
paths.SYSCONFIG_ODS,
paths.ETC_SYSCONFIG_AUTHCONFIG,
paths.IPA_NSSDB_PWDFILE_TXT,
+ paths.IPA_P11_KIT,
+ paths.SYSTEMWIDE_IPA_CA_CRT,
paths.NSSWITCH_CONF,
paths.KRB5_KEYTAB,
paths.SSSD_CONF,
diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
index cfe3dff9f..7276ed305 100644
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -26,7 +26,7 @@ import pwd
from ConfigParser import SafeConfigParser
from ipalib import api, errors
-from ipapython import version
+from ipapython import version, ipautil, certdb
from ipapython.ipautil import run, user_input
from ipapython import admintool
from ipapython.dn import DN
@@ -277,7 +277,9 @@ class Restore(admintool.AdminTool):
create_ca_user()
if options.online:
raise admintool.ScriptError('File restoration cannot be done online.')
+ self.cert_restore_prepare()
self.file_restore(options.no_logs)
+ self.cert_restore()
if 'CA' in self.backup_services:
self.__create_dogtag_log_dirs()
@@ -659,3 +661,34 @@ class Restore(admintool.AdminTool):
tasks.set_selinux_booleans(bools)
except ipapython.errors.SetseboolError as e:
self.log.error('%s', e)
+
+ def cert_restore_prepare(self):
+ for basename in ('cert8.db', 'key3.db', 'secmod.db', 'pwdfile.txt'):
+ filename = os.path.join(paths.IPA_NSSDB_DIR, basename)
+ try:
+ ipautil.backup_file(filename)
+ except OSError as e:
+ self.log.error("Failed to backup %s: %s" % (filename, e))
+
+ tasks.remove_ca_certs_from_systemwide_ca_store()
+
+ def cert_restore(self):
+ if not os.path.exists(os.path.join(paths.IPA_NSSDB_DIR, 'cert8.db')):
+ certdb.create_ipa_nssdb()
+ ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
+ sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
+ for nickname, trust_flags in (('IPA CA', 'CT,C,C'),
+ ('External CA cert', 'C,,')):
+ try:
+ cert = sys_db.get_cert(nickname)
+ except RuntimeError:
+ pass
+ else:
+ try:
+ ipa_db.add_cert(cert, nickname, trust_flags)
+ except ipautil.CalledProcessError as e:
+ self.log.error(
+ "Failed to add %s to %s: %s" %
+ (nickname, paths.IPA_NSSDB_DIR, e))
+
+ tasks.reload_systemwide_ca_store()
generated by cgit (git 2.34.1) at 2024-06-16 06:07:30 +0000