summaryrefslogtreecommitdiffstats
path: root/ipaserver
diff options
context:
space:
mode:
authorRob Crittenden <rcrit@thor.greyoak.com>2009-07-23 12:16:56 -0400
committerJason Gerard DeRose <jderose@redhat.com>2009-07-23 13:45:45 -0600
commitb382755feebc4f9a0cf0f985d84c81d57307e542 (patch)
treeeeed91973ff4d7ff3787da640b1f016d74a03b2b /ipaserver
parenta9f70edb87c3d051199b44e65869ee13bee4a5bb (diff)
downloadfreeipa-b382755feebc4f9a0cf0f985d84c81d57307e542.tar.gz
freeipa-b382755feebc4f9a0cf0f985d84c81d57307e542.tar.xz
freeipa-b382755feebc4f9a0cf0f985d84c81d57307e542.zip
No need to trust NSS built-in CA's, more specific regex for finding CA nickname
- Add some logging so we have a better idea of what happened if things fail - Default to self-signed CA to trust if one is not found. This will fix the self-signed CA case where certutil doesn't return untrusted CA's in -O output. - Remove unused httplib import Signed-off-by: Jason Gerard DeRose <jderose@redhat.com>
Diffstat (limited to 'ipaserver')
-rw-r--r--ipaserver/install/certs.py20
1 files changed, 16 insertions, 4 deletions
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 7a4a31290..c1b7a8089 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -23,7 +23,6 @@ import errno
import tempfile
import shutil
import logging
-import httplib
import urllib
import xml.dom.minidom
import pwd
@@ -590,15 +589,28 @@ class CertDB(object):
chain = p.stdout.read()
chain = chain.split("\n")
- root_nickname = re.match('\ *"(.*)".*', chain[0]).groups()[0]
+ root_nickname = re.match('\ *"(.*)" \[.*', chain[0]).groups()[0]
+
+ # Try to work around a change in the F-11 certutil where untrusted
+ # CA's are not shown in the chain. This will make a default IPA
+ # server installable.
+ if root_nickname is None and self.self_signed_ca:
+ return self.cacert_name
return root_nickname
def trust_root_cert(self, nickname):
root_nickname = self.find_root_cert(nickname)
- self.run_certutil(["-M", "-n", root_nickname,
- "-t", "CT,CT,"])
+ if root_nickname is None:
+ logging.debug("Unable to identify root certificate to trust. Continueing but things are likely to fail.")
+ return
+
+ if root_nickname[:7] == "Builtin":
+ logging.debug("No need to add trust for built-in root CA's, skipping %s" % root_nickname)
+ else:
+ self.run_certutil(["-M", "-n", root_nickname,
+ "-t", "CT,CT,"])
def find_server_certs(self):
p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir,