From da66600e8ae07fa4169d24909c7d04ed69d2906c Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Mon, 1 Aug 2016 22:35:32 +0200
Subject: Added log messages for certificate import during cloning.

To help troubleshooting cloning issues the security_databases.py
has been modified to log the content of the PKCS #12 file before
import and the NSS database after import.

https://fedorahosted.org/pki/ticket/2424
---
 .../deployment/scriptlets/security_databases.py    | 42 ++++++++++++++++++----
 1 file changed, 35 insertions(+), 7 deletions(-)

(limited to 'base/server/python')

diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
index 18fc3e1ef..99daf1564 100644
--- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py
+++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
@@ -19,9 +19,11 @@
 #
 
 from __future__ import absolute_import
+from __future__ import print_function
 
 import os
 import pki.nssdb
+import pki.pkcs12
 import pki.server
 
 # PKI Deployment Imports
@@ -104,9 +106,12 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 directory=deployer.mdict['pki_database_path'],
                 password_file=deployer.mdict['pki_shared_pfile'])
 
-            nssdb.import_pkcs12(
-                pkcs12_file=pki_server_pkcs12_path,
-                pkcs12_password=pki_server_pkcs12_password)
+            try:
+                nssdb.import_pkcs12(
+                    pkcs12_file=pki_server_pkcs12_path,
+                    pkcs12_password=pki_server_pkcs12_password)
+            finally:
+                nssdb.close()
 
             # update external CA file (if needed)
             external_certs_path = deployer.mdict['pki_server_external_certs_path']
@@ -127,10 +132,33 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 directory=deployer.mdict['pki_database_path'],
                 password_file=deployer.mdict['pki_shared_pfile'])
 
-            nssdb.import_pkcs12(
-                pkcs12_file=pki_clone_pkcs12_path,
-                pkcs12_password=pki_clone_pkcs12_password,
-                no_user_certs=True)
+            try:
+                print('Importing certificates from %s:' % pki_clone_pkcs12_path)
+
+                # The PKCS12 class requires an NSS database to run. For simplicity
+                # it uses the NSS database that has just been created.
+                pkcs12 = pki.pkcs12.PKCS12(
+                    path=pki_clone_pkcs12_path,
+                    password=pki_clone_pkcs12_password,
+                    nssdb=nssdb)
+
+                try:
+                    pkcs12.show_certs()
+                finally:
+                    pkcs12.close()
+
+                # Import certificates
+                nssdb.import_pkcs12(
+                    pkcs12_file=pki_clone_pkcs12_path,
+                    pkcs12_password=pki_clone_pkcs12_password,
+                    no_user_certs=True)
+
+                print('Imported certificates in %s:' % deployer.mdict['pki_database_path'])
+
+                nssdb.show_certs()
+
+            finally:
+                nssdb.close()
 
         if len(deployer.instance.tomcat_instance_subsystems()) < 2:
 
-- 
cgit