summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xinstall/tools/ipa-replica-install2
-rwxr-xr-xinstall/tools/ipa-replica-prepare13
-rwxr-xr-xinstall/tools/ipa-server-certinstall2
-rwxr-xr-xinstall/tools/ipa-server-install13
-rw-r--r--ipaserver/install/cainstance.py10
-rw-r--r--ipaserver/install/certs.py10
-rw-r--r--ipaserver/install/dsinstance.py9
-rw-r--r--ipaserver/install/httpinstance.py56
-rw-r--r--ipaserver/install/krbinstance.py9
9 files changed, 62 insertions, 62 deletions
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index c539e751..3d6f4743 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -158,7 +158,7 @@ def install_ca(config):
cs = cainstance.CADSInstance()
cs.create_instance(config.ds_user, config.realm_name, config.host_name, config.domain_name, config.dirman_password)
- ca = cainstance.CAInstance(config.realm_name)
+ ca = cainstance.CAInstance(config.realm_name, certs.NSS_DIR)
ca.configure_instance("pkiuser", config.host_name, config.dirman_password, config.dirman_password, pkcs12_info=(cafile,), master_host=config.master_host_name, subject_base=config.subject_base)
return ca
diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index d70741f1..b9e3425e 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -27,7 +27,7 @@ import krbV
from optparse import OptionParser
from ipapython import ipautil
-from ipaserver.install import bindinstance, dsinstance, installutils, certs, httpinstance
+from ipaserver.install import bindinstance, dsinstance, installutils, certs
from ipaserver.install.bindinstance import add_zone, add_reverze_zone, add_rr, add_ptr_rr
from ipaserver.plugins.ldap2 import ldap2
from ipapython import version
@@ -123,14 +123,9 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname, subjec
try:
self_signed = certs.ipa_self_signed()
- db = certs.CertDB(dir, realm_name, subject_base=subject_base)
+ db = certs.CertDB(realm_name, nssdir=dir, subject_base=subject_base)
db.create_passwd_file()
-# if self_signed:
-# ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)))
-# db.create_from_cacert(ca_db.cacert_fname)
-# else:
-# ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host)
- ca_db = certs.CertDB(httpinstance.NSS_DIR, realm_name, host_name=api.env.host, subject_base=subject_base)
+ ca_db = certs.CertDB(realm_name, host_name=api.env.host, subject_base=subject_base)
if is_kdc:
ca_db.create_kdc_cert("KDC-Cert", hostname, dir)
else:
@@ -177,7 +172,7 @@ def export_ra_pkcs12(dir, dm_password):
try:
try:
- db = certs.CertDB(httpinstance.NSS_DIR, api.env.realm, host_name=api.env.host)
+ db = certs.CertDB(api.env.realm, host_name=api.env.host)
if db.has_nickname("ipaCert"):
pkcs12_fname = "%s/ra.p12" % dir
diff --git a/install/tools/ipa-server-certinstall b/install/tools/ipa-server-certinstall
index 4b460535..5c6b25bc 100755
--- a/install/tools/ipa-server-certinstall
+++ b/install/tools/ipa-server-certinstall
@@ -89,7 +89,7 @@ def choose_server_cert(server_certs):
return server_certs[num - 1]
def import_cert(dirname, pkcs12_fname, pkcs12_passwd, db_password):
- cdb = certs.CertDB(dirname, api.env.realm)
+ cdb = certs.CertDB(api.env.realm, nssdir=dirname)
cdb.create_passwd_file(db_password)
cdb.create_certdbs()
[pw_fd, pw_name] = tempfile.mkstemp()
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 67c1a004..7fa6c71d 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -420,8 +420,8 @@ def uninstall():
ntpinstance.NTPInstance(fstore).uninstall()
if cainstance.CADSInstance().is_configured():
cainstance.CADSInstance().uninstall()
- if cainstance.CAInstance(api.env.realm).is_configured():
- cainstance.CAInstance(api.env.realm).uninstall()
+ if cainstance.CAInstance(api.env.realm, certs.NSS_DIR).is_configured():
+ cainstance.CAInstance(api.env.realm, certs.NSS_DIR).uninstall()
bindinstance.BindInstance(fstore).uninstall()
httpinstance.HTTPInstance(fstore).uninstall()
krbinstance.KrbInstance(fstore).uninstall()
@@ -693,7 +693,12 @@ def main():
ntp = ntpinstance.NTPInstance(fstore)
ntp.create_instance()
- if not options.selfsign:
+ if options.selfsign:
+ ca = certs.CertDB(realm_name, host_name=host_name,
+ subject_base=options.subject)
+ ca.create_self_signed()
+ ca.publish_ca_cert("/etc/ipa/ca.crt")
+ else:
# Clean up any previous self-signed CA that may exist
try:
os.remove(certs.CA_SERIALNO)
@@ -720,7 +725,7 @@ def main():
if options.external_cert_file is None:
cs = cainstance.CADSInstance()
cs.create_instance("pkisrv", realm_name, host_name, domain_name, dm_password)
- ca = cainstance.CAInstance(realm_name)
+ ca = cainstance.CAInstance(realm_name, certs.NSS_DIR)
if external == 0:
ca.configure_instance("pkiuser", host_name, dm_password, dm_password, subject_base=options.subject)
elif external == 1:
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 4a645bc8..e03adfb9 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -341,8 +341,8 @@ class CADSInstance(service.Service):
class CAInstance(service.Service):
"""
- In the self-signed case (all done in certs.py) the CA exists in the DS
- database. When using a dogtag CA the DS database contains just the
+ In the self-signed case the CA exists in the NSS_DB database.
+ When using a dogtag CA the DS database contains just the
server cert for DS. The mod_nss database will contain the RA agent
cert that will be used to do authenticated requests against dogtag.
@@ -357,7 +357,7 @@ class CAInstance(service.Service):
2 = have signed cert, continue installation
"""
- def __init__(self, realm):
+ def __init__(self, realm, ra_db):
service.Service.__init__(self, "pki-cad")
self.realm = realm
self.pki_user = "pkiuser"
@@ -378,7 +378,7 @@ class CAInstance(service.Service):
self.canickname = get_ca_nickname(realm)
self.basedn = "o=ipaca"
self.ca_agent_db = tempfile.mkdtemp(prefix = "tmp-")
- self.ra_agent_db = "/etc/httpd/alias"
+ self.ra_agent_db = ra_db
self.ra_agent_pwd = self.ra_agent_db + "/pwdfile.txt"
self.ds_port = DEFAULT_DSPORT
self.domain_name = "IPA"
@@ -1000,5 +1000,5 @@ if __name__ == "__main__":
installutils.standard_logging_setup("install.log", False)
cs = CADSInstance()
cs.create_instance("dirsrv", "EXAMPLE.COM", "catest.example.com", "example.com", "password")
- ca = CAInstance("EXAMPLE.COM")
+ ca = CAInstance("EXAMPLE.COM", "/etc/httpd/alias")
ca.configure_instance("pkiuser", "catest.example.com", "password", "password")
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index bd5c7bf9..0a40c667 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -47,6 +47,10 @@ from ipalib import api
from ipalib.compat import sha1
+# Apache needs access to this database so we need to create it
+# where apache can reach
+NSS_DIR = "/etc/httpd/alias"
+
CA_SERIALNO="/var/lib/ipa/ca_serialno"
def ipa_self_signed():
@@ -163,7 +167,7 @@ def next_replica(serial_file=CA_SERIALNO):
return str(serial)
class CertDB(object):
- def __init__(self, nssdir, realm, fstore=None, host_name=None, subject_base=None):
+ def __init__(self, realm, nssdir=NSS_DIR, fstore=None, host_name=None, subject_base=None):
self.secdir = nssdir
self.realm = realm
@@ -1040,3 +1044,7 @@ class CertDB(object):
self.fstore.backup_file(self.pin_fname)
self.fstore.backup_file(self.certreq_fname)
self.fstore.backup_file(self.certder_fname)
+
+ def publish_ca_cert(self, location):
+ shutil.copy(self.cacert_fname, location)
+ os.chmod(location, 0444)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 6fdc479c..36bc5153 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -469,7 +469,7 @@ class DsInstance(service.Service):
def __enable_ssl(self):
dirname = config_dirname(self.serverid)
- dsdb = certs.CertDB(dirname, self.realm_name, subject_base=self.subject_base)
+ dsdb = certs.CertDB(self.realm_name, nssdir=dirname, subject_base=self.subject_base)
if self.pkcs12_info:
dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1])
server_certs = dsdb.find_server_certs()
@@ -481,9 +481,8 @@ class DsInstance(service.Service):
self.dercert = dsdb.get_cert_from_db(nickname)
else:
nickname = "Server-Cert"
- cadb = certs.CertDB(httpinstance.NSS_DIR, self.realm_name, host_name=self.fqdn, subject_base=self.subject_base)
+ cadb = certs.CertDB(self.realm_name, host_name=self.fqdn, subject_base=self.subject_base)
if self.self_signed_ca:
- cadb.create_self_signed()
dsdb.create_from_cacert(cadb.cacert_fname, passwd=None)
self.dercert = dsdb.create_server_cert("Server-Cert", self.fqdn, cadb)
dsdb.track_server_cert("Server-Cert", self.principal, dsdb.passwd_fname)
@@ -601,7 +600,7 @@ class DsInstance(service.Service):
# drop the trailing / off the config_dirname so the directory
# will match what is in certmonger
dirname = config_dirname(serverid)[:-1]
- dsdb = certs.CertDB(dirname, self.realm_name)
+ dsdb = certs.CertDB(self.realm_name, nssdir=dirname)
dsdb.untrack_server_cert("Server-Cert")
erase_ds_instance_data(serverid)
@@ -643,7 +642,7 @@ class DsInstance(service.Service):
self.stop()
dirname = config_dirname(realm_to_serverid(self.realm_name))
- certdb = certs.CertDB(dirname, self.realm_name, subject_base=self.subject_base)
+ certdb = certs.CertDB(self.realm_name, nssdir=dirname, subject_base=self.subject_base)
if not cacert_name or len(cacert_name) == 0:
cacert_name = "Imported CA"
# we can't pass in the nickname, so we set the instance variable
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 73930825..411f2ae4 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -35,7 +35,6 @@ from ipalib import util, api
HTTPD_DIR = "/etc/httpd"
SSL_CONF = HTTPD_DIR + "/conf.d/ssl.conf"
NSS_CONF = HTTPD_DIR + "/conf.d/nss.conf"
-NSS_DIR = HTTPD_DIR + "/alias"
selinux_warning = """WARNING: could not set selinux boolean httpd_can_network_connect to true.
The web interface may not function correctly until this boolean is
@@ -166,11 +165,13 @@ class HTTPInstance(service.Service):
print "Adding Include conf.d/ipa-rewrite to %s failed." % NSS_CONF
def __setup_ssl(self):
- if self.self_signed_ca:
- ca_db = certs.CertDB(NSS_DIR, self.realm, subject_base=self.subject_base)
- else:
- ca_db = certs.CertDB(NSS_DIR, self.realm, host_name=self.fqdn, subject_base=self.subject_base)
- db = certs.CertDB(NSS_DIR, self.realm, subject_base=self.subject_base)
+ fqdn = None
+ if not self.self_signed_ca:
+ fqdn = self.fqdn
+
+ ca_db = certs.CertDB(self.realm, host_name=fqdn, subject_base=self.subject_base)
+
+ db = certs.CertDB(self.realm, subject_base=self.subject_base)
if self.pkcs12_info:
db.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], passwd="")
server_certs = db.find_server_certs()
@@ -186,31 +187,27 @@ class HTTPInstance(service.Service):
else:
if self.self_signed_ca:
db.create_from_cacert(ca_db.cacert_fname)
- db.create_password_conf()
- self.dercert = db.create_server_cert("Server-Cert", self.fqdn, ca_db)
- db.track_server_cert("Server-Cert", self.principal, db.passwd_fname)
- db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)
- else:
- self.dercert = db.create_server_cert("Server-Cert", self.fqdn, ca_db)
- db.track_server_cert("Server-Cert", self.principal, db.passwd_fname)
- db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)
- db.create_password_conf()
+
+ db.create_password_conf()
+ self.dercert = db.create_server_cert("Server-Cert", self.fqdn, ca_db)
+ db.track_server_cert("Server-Cert", self.principal, db.passwd_fname)
+ db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)
# Fix the database permissions
- os.chmod(NSS_DIR + "/cert8.db", 0660)
- os.chmod(NSS_DIR + "/key3.db", 0660)
- os.chmod(NSS_DIR + "/secmod.db", 0660)
- os.chmod(NSS_DIR + "/pwdfile.txt", 0660)
+ os.chmod(certs.NSS_DIR + "/cert8.db", 0660)
+ os.chmod(certs.NSS_DIR + "/key3.db", 0660)
+ os.chmod(certs.NSS_DIR + "/secmod.db", 0660)
+ os.chmod(certs.NSS_DIR + "/pwdfile.txt", 0660)
pent = pwd.getpwnam("apache")
- os.chown(NSS_DIR + "/cert8.db", 0, pent.pw_gid )
- os.chown(NSS_DIR + "/key3.db", 0, pent.pw_gid )
- os.chown(NSS_DIR + "/secmod.db", 0, pent.pw_gid )
- os.chown(NSS_DIR + "/pwdfile.txt", 0, pent.pw_gid )
+ os.chown(certs.NSS_DIR + "/cert8.db", 0, pent.pw_gid )
+ os.chown(certs.NSS_DIR + "/key3.db", 0, pent.pw_gid )
+ os.chown(certs.NSS_DIR + "/secmod.db", 0, pent.pw_gid )
+ os.chown(certs.NSS_DIR + "/pwdfile.txt", 0, pent.pw_gid )
# Fix SELinux permissions on the database
- ipautil.run(["/sbin/restorecon", NSS_DIR + "/cert8.db"])
- ipautil.run(["/sbin/restorecon", NSS_DIR + "/key3.db"])
+ ipautil.run(["/sbin/restorecon", certs.NSS_DIR + "/cert8.db"])
+ ipautil.run(["/sbin/restorecon", certs.NSS_DIR + "/key3.db"])
# In case this got generated as part of the install, reset the
# context
@@ -226,7 +223,7 @@ class HTTPInstance(service.Service):
prefs_fd.close()
# The signing cert is generated in __setup_ssl
- db = certs.CertDB(NSS_DIR, self.realm, subject_base=self.subject_base)
+ db = certs.CertDB(self.realm, subject_base=self.subject_base)
pwdfile = open(db.passwd_fname)
pwd = pwdfile.read()
@@ -241,9 +238,8 @@ class HTTPInstance(service.Service):
shutil.rmtree(tmpdir)
def __publish_ca_cert(self):
- ca_db = certs.CertDB(NSS_DIR, self.realm)
- shutil.copy(ca_db.cacert_fname, "/usr/share/ipa/html/ca.crt")
- os.chmod("/usr/share/ipa/html/ca.crt", 0444)
+ ca_db = certs.CertDB(self.realm)
+ ca_db.publish_ca_cert("/usr/share/ipa/html/ca.crt")
def uninstall(self):
if self.is_configured():
@@ -255,7 +251,7 @@ class HTTPInstance(service.Service):
if not running is None:
self.stop()
- db = certs.CertDB(NSS_DIR, api.env.realm)
+ db = certs.CertDB(api.env.realm)
db.untrack_server_cert("Server-Cert")
if not enabled is None and not enabled:
self.chkconfig_off()
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 516c7eac..247b3900 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -45,7 +45,6 @@ import pyasn1.codec.ber.decoder
import struct
import certs
-import httpinstance
from distutils import version
KRBMKEY_DENY_ACI = '(targetattr = "krbMKey")(version 3.0; acl "No external access"; deny (read,write,search,compare) userdn != "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)'
@@ -544,11 +543,10 @@ class KrbInstance(service.Service):
def __setup_pkinit(self):
if self.self_signed_ca:
- ca_db = certs.CertDB(httpinstance.NSS_DIR, self.realm,
+ ca_db = certs.CertDB(self.realm,
subject_base=self.subject_base)
else:
- ca_db = certs.CertDB(httpinstance.NSS_DIR, self.realm,
- host_name=self.fqdn,
+ ca_db = certs.CertDB(self.realm, host_name=self.fqdn,
subject_base=self.subject_base)
if self.pkcs12_info:
@@ -564,8 +562,7 @@ class KrbInstance(service.Service):
# Finally copy the cacert in the krb directory so we don't
# have any selinux issues with the file context
- shutil.copyfile("/usr/share/ipa/html/ca.crt",
- "/var/kerberos/krb5kdc/cacert.pem")
+ shutil.copyfile("/etc/ipa/ca.crt", "/var/kerberos/krb5kdc/cacert.pem")
def __add_anonymous_pkinit_principal(self):
princ = "WELLKNOWN/ANONYMOUS"