diff options
Diffstat (limited to 'ipaserver/install/httpinstance.py')
-rw-r--r-- | ipaserver/install/httpinstance.py | 36 |
1 files changed, 25 insertions, 11 deletions
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index b6483fb3d..7e7adfa79 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -65,8 +65,7 @@ class HTTPInstance(service.Service): self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl) self.step("Setting mod_nss port to 443", self.__set_mod_nss_port) - if not self_signed_ca: - self.step("Setting mod_nss password file", self.__set_mod_nss_passwordfile) + self.step("Setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("Adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("creating a keytab for httpd", self.__create_http_keytab) @@ -158,7 +157,7 @@ class HTTPInstance(service.Service): def __setup_ssl(self): if self.self_signed_ca: - ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(self.realm))) + ca_db = certs.CertDB(NSS_DIR) else: ca_db = certs.CertDB(NSS_DIR, host_name=self.fqdn) db = certs.CertDB(NSS_DIR) @@ -176,6 +175,7 @@ class HTTPInstance(service.Service): else: if self.self_signed_ca: db.create_from_cacert(ca_db.cacert_fname) + db.create_password_conf() db.create_server_cert("Server-Cert", self.fqdn, ca_db) db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db) else: @@ -184,14 +184,27 @@ class HTTPInstance(service.Service): db.create_password_conf() # Fix the database permissions - os.chmod(NSS_DIR + "/cert8.db", 0640) - os.chmod(NSS_DIR + "/key3.db", 0640) - os.chmod(NSS_DIR + "/secmod.db", 0640) + os.chmod(NSS_DIR + "/cert8.db", 0660) + os.chmod(NSS_DIR + "/key3.db", 0660) + os.chmod(NSS_DIR + "/secmod.db", 0660) + os.chmod(NSS_DIR + "/pwdfile.txt", 0660) pent = pwd.getpwnam("apache") os.chown(NSS_DIR + "/cert8.db", 0, pent.pw_gid ) os.chown(NSS_DIR + "/key3.db", 0, pent.pw_gid ) os.chown(NSS_DIR + "/secmod.db", 0, pent.pw_gid ) + os.chown(NSS_DIR + "/pwdfile.txt", 0, pent.pw_gid ) + + # Fix SELinux permissions on the database + ipautil.run(["/sbin/restorecon", NSS_DIR + "/cert8.db"]) + ipautil.run(["/sbin/restorecon", NSS_DIR + "/key3.db"]) + + # In case this got generated as part of the install, reset the + # context + if ipautil.file_exists(certs.CA_SERIALNO): + ipautil.run(["/sbin/restorecon", certs.CA_SERIALNO]) + os.chown(certs.CA_SERIALNO, 0, pent.pw_gid) + os.chmod(certs.CA_SERIALNO, 0664) def __setup_autoconfig(self): prefs_txt = ipautil.template_file(ipautil.SHARE_DIR + "preferences.html.template", self.sub_dict) @@ -202,19 +215,20 @@ class HTTPInstance(service.Service): # The signing cert is generated in __setup_ssl db = certs.CertDB(NSS_DIR) + pwdfile = open(db.passwd_fname) + pwd = pwdfile.read() + pwdfile.close() + tmpdir = tempfile.mkdtemp(prefix = "tmp-") shutil.copy("/usr/share/ipa/html/preferences.html", tmpdir) db.run_signtool(["-k", "Signing-Cert", "-Z", "/usr/share/ipa/html/configure.jar", - "-e", ".html", + "-e", ".html", "-p", pwd, tmpdir]) shutil.rmtree(tmpdir) def __publish_ca_cert(self): - if self.self_signed_ca: - ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(self.realm))) - else: - ca_db = certs.CertDB(NSS_DIR) + ca_db = certs.CertDB(NSS_DIR) shutil.copy(ca_db.cacert_fname, "/usr/share/ipa/html/ca.crt") os.chmod("/usr/share/ipa/html/ca.crt", 0444) |