diff options
| author | Tomas Babej <tbabej@redhat.com> | 2013-09-24 10:54:57 +0200 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2013-11-20 13:15:38 +0100 |
| commit | 4a0e91449e2b65304ae8d660d1a480200b1a13d3 (patch) | |
| tree | 16ced8dc1828b3a429abafb8d2f143e37af7cd07 /ipa-client | |
| parent | 60b472479d6427243b5ef51c4dd60cdcd9e52afd (diff) | |
| download | freeipa-4a0e91449e2b65304ae8d660d1a480200b1a13d3.tar.gz freeipa-4a0e91449e2b65304ae8d660d1a480200b1a13d3.tar.xz freeipa-4a0e91449e2b65304ae8d660d1a480200b1a13d3.zip | |
ipa-client-install: Publish CA certificate to systemwide store
During the installation, copy the CA certificate to the systemwide
store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the
systemwide CA database.
This allows browsers to access IPA WebUI without warning out of the
box.
https://fedorahosted.org/freeipa/ticket/3504
Diffstat (limited to 'ipa-client')
| -rwxr-xr-x | ipa-client/ipa-install/ipa-client-install | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 7095e922..e79cb48b 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -673,6 +673,9 @@ def uninstall(options, env): root_logger.warning('Please remove /etc/ipa/default.conf manually, ' 'as it can cause subsequent installation to fail.') + # Remove the CA cert from the systemwide certificate store + ipaservices.remove_ca_cert_from_systemwide_ca_store(CACERT) + # Remove the CA cert try: os.remove(CACERT) @@ -2403,12 +2406,20 @@ def install(options, env, fstore, statestore): return CLIENT_INSTALL_ERROR root_logger.info("Configured /etc/sssd/sssd.conf") + # Add the CA to the platform-dependant systemwide CA store + ipaservices.insert_ca_cert_into_systemwide_ca_store(CACERT) + # Add the CA to the default NSS database and trust it try: - run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT]) + root_logger.debug("Attempting to add CA directly to the " + "default NSS database.") + run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", + "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT]) except CalledProcessError, e: root_logger.info("Failed to add CA to the default NSS database.") return CLIENT_INSTALL_ERROR + else: + root_logger.info('Added the CA to the default NSS database.') host_principal = 'host/%s@%s' % (hostname, cli_realm) if options.on_master: |