diff options
Diffstat (limited to 'ipaserver')
-rw-r--r-- | ipaserver/install/cainstance.py | 10 | ||||
-rw-r--r-- | ipaserver/install/certs.py | 10 | ||||
-rw-r--r-- | ipaserver/install/dsinstance.py | 9 | ||||
-rw-r--r-- | ipaserver/install/httpinstance.py | 56 | ||||
-rw-r--r-- | ipaserver/install/krbinstance.py | 9 |
5 files changed, 47 insertions, 47 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 4a645bc84..e03adfb9b 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -341,8 +341,8 @@ class CADSInstance(service.Service): class CAInstance(service.Service): """ - In the self-signed case (all done in certs.py) the CA exists in the DS - database. When using a dogtag CA the DS database contains just the + In the self-signed case the CA exists in the NSS_DB database. + When using a dogtag CA the DS database contains just the server cert for DS. The mod_nss database will contain the RA agent cert that will be used to do authenticated requests against dogtag. @@ -357,7 +357,7 @@ class CAInstance(service.Service): 2 = have signed cert, continue installation """ - def __init__(self, realm): + def __init__(self, realm, ra_db): service.Service.__init__(self, "pki-cad") self.realm = realm self.pki_user = "pkiuser" @@ -378,7 +378,7 @@ class CAInstance(service.Service): self.canickname = get_ca_nickname(realm) self.basedn = "o=ipaca" self.ca_agent_db = tempfile.mkdtemp(prefix = "tmp-") - self.ra_agent_db = "/etc/httpd/alias" + self.ra_agent_db = ra_db self.ra_agent_pwd = self.ra_agent_db + "/pwdfile.txt" self.ds_port = DEFAULT_DSPORT self.domain_name = "IPA" @@ -1000,5 +1000,5 @@ if __name__ == "__main__": installutils.standard_logging_setup("install.log", False) cs = CADSInstance() cs.create_instance("dirsrv", "EXAMPLE.COM", "catest.example.com", "example.com", "password") - ca = CAInstance("EXAMPLE.COM") + ca = CAInstance("EXAMPLE.COM", "/etc/httpd/alias") ca.configure_instance("pkiuser", "catest.example.com", "password", "password") diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index bd5c7bf9c..0a40c667c 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -47,6 +47,10 @@ from ipalib import api from ipalib.compat import sha1 +# Apache needs access to this database so we need to create it +# where apache can reach +NSS_DIR = "/etc/httpd/alias" + CA_SERIALNO="/var/lib/ipa/ca_serialno" def ipa_self_signed(): @@ -163,7 +167,7 @@ def next_replica(serial_file=CA_SERIALNO): return str(serial) class CertDB(object): - def __init__(self, nssdir, realm, fstore=None, host_name=None, subject_base=None): + def __init__(self, realm, nssdir=NSS_DIR, fstore=None, host_name=None, subject_base=None): self.secdir = nssdir self.realm = realm @@ -1040,3 +1044,7 @@ class CertDB(object): self.fstore.backup_file(self.pin_fname) self.fstore.backup_file(self.certreq_fname) self.fstore.backup_file(self.certder_fname) + + def publish_ca_cert(self, location): + shutil.copy(self.cacert_fname, location) + os.chmod(location, 0444) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 6fdc479ca..36bc51530 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -469,7 +469,7 @@ class DsInstance(service.Service): def __enable_ssl(self): dirname = config_dirname(self.serverid) - dsdb = certs.CertDB(dirname, self.realm_name, subject_base=self.subject_base) + dsdb = certs.CertDB(self.realm_name, nssdir=dirname, subject_base=self.subject_base) if self.pkcs12_info: dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1]) server_certs = dsdb.find_server_certs() @@ -481,9 +481,8 @@ class DsInstance(service.Service): self.dercert = dsdb.get_cert_from_db(nickname) else: nickname = "Server-Cert" - cadb = certs.CertDB(httpinstance.NSS_DIR, self.realm_name, host_name=self.fqdn, subject_base=self.subject_base) + cadb = certs.CertDB(self.realm_name, host_name=self.fqdn, subject_base=self.subject_base) if self.self_signed_ca: - cadb.create_self_signed() dsdb.create_from_cacert(cadb.cacert_fname, passwd=None) self.dercert = dsdb.create_server_cert("Server-Cert", self.fqdn, cadb) dsdb.track_server_cert("Server-Cert", self.principal, dsdb.passwd_fname) @@ -601,7 +600,7 @@ class DsInstance(service.Service): # drop the trailing / off the config_dirname so the directory # will match what is in certmonger dirname = config_dirname(serverid)[:-1] - dsdb = certs.CertDB(dirname, self.realm_name) + dsdb = certs.CertDB(self.realm_name, nssdir=dirname) dsdb.untrack_server_cert("Server-Cert") erase_ds_instance_data(serverid) @@ -643,7 +642,7 @@ class DsInstance(service.Service): self.stop() dirname = config_dirname(realm_to_serverid(self.realm_name)) - certdb = certs.CertDB(dirname, self.realm_name, subject_base=self.subject_base) + certdb = certs.CertDB(self.realm_name, nssdir=dirname, subject_base=self.subject_base) if not cacert_name or len(cacert_name) == 0: cacert_name = "Imported CA" # we can't pass in the nickname, so we set the instance variable diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 73930825f..411f2ae46 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -35,7 +35,6 @@ from ipalib import util, api HTTPD_DIR = "/etc/httpd" SSL_CONF = HTTPD_DIR + "/conf.d/ssl.conf" NSS_CONF = HTTPD_DIR + "/conf.d/nss.conf" -NSS_DIR = HTTPD_DIR + "/alias" selinux_warning = """WARNING: could not set selinux boolean httpd_can_network_connect to true. The web interface may not function correctly until this boolean is @@ -166,11 +165,13 @@ class HTTPInstance(service.Service): print "Adding Include conf.d/ipa-rewrite to %s failed." % NSS_CONF def __setup_ssl(self): - if self.self_signed_ca: - ca_db = certs.CertDB(NSS_DIR, self.realm, subject_base=self.subject_base) - else: - ca_db = certs.CertDB(NSS_DIR, self.realm, host_name=self.fqdn, subject_base=self.subject_base) - db = certs.CertDB(NSS_DIR, self.realm, subject_base=self.subject_base) + fqdn = None + if not self.self_signed_ca: + fqdn = self.fqdn + + ca_db = certs.CertDB(self.realm, host_name=fqdn, subject_base=self.subject_base) + + db = certs.CertDB(self.realm, subject_base=self.subject_base) if self.pkcs12_info: db.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], passwd="") server_certs = db.find_server_certs() @@ -186,31 +187,27 @@ class HTTPInstance(service.Service): else: if self.self_signed_ca: db.create_from_cacert(ca_db.cacert_fname) - db.create_password_conf() - self.dercert = db.create_server_cert("Server-Cert", self.fqdn, ca_db) - db.track_server_cert("Server-Cert", self.principal, db.passwd_fname) - db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db) - else: - self.dercert = db.create_server_cert("Server-Cert", self.fqdn, ca_db) - db.track_server_cert("Server-Cert", self.principal, db.passwd_fname) - db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db) - db.create_password_conf() + + db.create_password_conf() + self.dercert = db.create_server_cert("Server-Cert", self.fqdn, ca_db) + db.track_server_cert("Server-Cert", self.principal, db.passwd_fname) + db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db) # Fix the database permissions - os.chmod(NSS_DIR + "/cert8.db", 0660) - os.chmod(NSS_DIR + "/key3.db", 0660) - os.chmod(NSS_DIR + "/secmod.db", 0660) - os.chmod(NSS_DIR + "/pwdfile.txt", 0660) + os.chmod(certs.NSS_DIR + "/cert8.db", 0660) + os.chmod(certs.NSS_DIR + "/key3.db", 0660) + os.chmod(certs.NSS_DIR + "/secmod.db", 0660) + os.chmod(certs.NSS_DIR + "/pwdfile.txt", 0660) pent = pwd.getpwnam("apache") - os.chown(NSS_DIR + "/cert8.db", 0, pent.pw_gid ) - os.chown(NSS_DIR + "/key3.db", 0, pent.pw_gid ) - os.chown(NSS_DIR + "/secmod.db", 0, pent.pw_gid ) - os.chown(NSS_DIR + "/pwdfile.txt", 0, pent.pw_gid ) + os.chown(certs.NSS_DIR + "/cert8.db", 0, pent.pw_gid ) + os.chown(certs.NSS_DIR + "/key3.db", 0, pent.pw_gid ) + os.chown(certs.NSS_DIR + "/secmod.db", 0, pent.pw_gid ) + os.chown(certs.NSS_DIR + "/pwdfile.txt", 0, pent.pw_gid ) # Fix SELinux permissions on the database - ipautil.run(["/sbin/restorecon", NSS_DIR + "/cert8.db"]) - ipautil.run(["/sbin/restorecon", NSS_DIR + "/key3.db"]) + ipautil.run(["/sbin/restorecon", certs.NSS_DIR + "/cert8.db"]) + ipautil.run(["/sbin/restorecon", certs.NSS_DIR + "/key3.db"]) # In case this got generated as part of the install, reset the # context @@ -226,7 +223,7 @@ class HTTPInstance(service.Service): prefs_fd.close() # The signing cert is generated in __setup_ssl - db = certs.CertDB(NSS_DIR, self.realm, subject_base=self.subject_base) + db = certs.CertDB(self.realm, subject_base=self.subject_base) pwdfile = open(db.passwd_fname) pwd = pwdfile.read() @@ -241,9 +238,8 @@ class HTTPInstance(service.Service): shutil.rmtree(tmpdir) def __publish_ca_cert(self): - ca_db = certs.CertDB(NSS_DIR, self.realm) - shutil.copy(ca_db.cacert_fname, "/usr/share/ipa/html/ca.crt") - os.chmod("/usr/share/ipa/html/ca.crt", 0444) + ca_db = certs.CertDB(self.realm) + ca_db.publish_ca_cert("/usr/share/ipa/html/ca.crt") def uninstall(self): if self.is_configured(): @@ -255,7 +251,7 @@ class HTTPInstance(service.Service): if not running is None: self.stop() - db = certs.CertDB(NSS_DIR, api.env.realm) + db = certs.CertDB(api.env.realm) db.untrack_server_cert("Server-Cert") if not enabled is None and not enabled: self.chkconfig_off() diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 516c7eac5..247b39009 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -45,7 +45,6 @@ import pyasn1.codec.ber.decoder import struct import certs -import httpinstance from distutils import version KRBMKEY_DENY_ACI = '(targetattr = "krbMKey")(version 3.0; acl "No external access"; deny (read,write,search,compare) userdn != "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)' @@ -544,11 +543,10 @@ class KrbInstance(service.Service): def __setup_pkinit(self): if self.self_signed_ca: - ca_db = certs.CertDB(httpinstance.NSS_DIR, self.realm, + ca_db = certs.CertDB(self.realm, subject_base=self.subject_base) else: - ca_db = certs.CertDB(httpinstance.NSS_DIR, self.realm, - host_name=self.fqdn, + ca_db = certs.CertDB(self.realm, host_name=self.fqdn, subject_base=self.subject_base) if self.pkcs12_info: @@ -564,8 +562,7 @@ class KrbInstance(service.Service): # Finally copy the cacert in the krb directory so we don't # have any selinux issues with the file context - shutil.copyfile("/usr/share/ipa/html/ca.crt", - "/var/kerberos/krb5kdc/cacert.pem") + shutil.copyfile("/etc/ipa/ca.crt", "/var/kerberos/krb5kdc/cacert.pem") def __add_anonymous_pkinit_principal(self): princ = "WELLKNOWN/ANONYMOUS" |