From b382755feebc4f9a0cf0f985d84c81d57307e542 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Thu, 23 Jul 2009 12:16:56 -0400 Subject: No need to trust NSS built-in CA's, more specific regex for finding CA nickname - Add some logging so we have a better idea of what happened if things fail - Default to self-signed CA to trust if one is not found. This will fix the self-signed CA case where certutil doesn't return untrusted CA's in -O output. - Remove unused httplib import Signed-off-by: Jason Gerard DeRose --- ipaserver/install/certs.py | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) (limited to 'ipaserver') diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 7a4a31290..c1b7a8089 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -23,7 +23,6 @@ import errno import tempfile import shutil import logging -import httplib import urllib import xml.dom.minidom import pwd @@ -590,15 +589,28 @@ class CertDB(object): chain = p.stdout.read() chain = chain.split("\n") - root_nickname = re.match('\ *"(.*)".*', chain[0]).groups()[0] + root_nickname = re.match('\ *"(.*)" \[.*', chain[0]).groups()[0] + + # Try to work around a change in the F-11 certutil where untrusted + # CA's are not shown in the chain. This will make a default IPA + # server installable. + if root_nickname is None and self.self_signed_ca: + return self.cacert_name return root_nickname def trust_root_cert(self, nickname): root_nickname = self.find_root_cert(nickname) - self.run_certutil(["-M", "-n", root_nickname, - "-t", "CT,CT,"]) + if root_nickname is None: + logging.debug("Unable to identify root certificate to trust. Continueing but things are likely to fail.") + return + + if root_nickname[:7] == "Builtin": + logging.debug("No need to add trust for built-in root CA's, skipping %s" % root_nickname) + else: + self.run_certutil(["-M", "-n", root_nickname, + "-t", "CT,CT,"]) def find_server_certs(self): p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir, -- cgit