summaryrefslogtreecommitdiffstats
path: root/ipa-client/ipa-install
diff options
context:
space:
mode:
authorTomas Babej <tbabej@redhat.com>2013-09-24 10:54:57 +0200
committerPetr Viktorin <pviktori@redhat.com>2013-11-20 13:15:38 +0100
commit4a0e91449e2b65304ae8d660d1a480200b1a13d3 (patch)
tree16ced8dc1828b3a429abafb8d2f143e37af7cd07 /ipa-client/ipa-install
parent60b472479d6427243b5ef51c4dd60cdcd9e52afd (diff)
downloadfreeipa-4a0e91449e2b65304ae8d660d1a480200b1a13d3.tar.gz
freeipa-4a0e91449e2b65304ae8d660d1a480200b1a13d3.tar.xz
freeipa-4a0e91449e2b65304ae8d660d1a480200b1a13d3.zip
ipa-client-install: Publish CA certificate to systemwide store
During the installation, copy the CA certificate to the systemwide store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the systemwide CA database. This allows browsers to access IPA WebUI without warning out of the box. https://fedorahosted.org/freeipa/ticket/3504
Diffstat (limited to 'ipa-client/ipa-install')
-rwxr-xr-xipa-client/ipa-install/ipa-client-install13
1 files changed, 12 insertions, 1 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 7095e9226..e79cb48b0 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -673,6 +673,9 @@ def uninstall(options, env):
root_logger.warning('Please remove /etc/ipa/default.conf manually, '
'as it can cause subsequent installation to fail.')
+ # Remove the CA cert from the systemwide certificate store
+ ipaservices.remove_ca_cert_from_systemwide_ca_store(CACERT)
+
# Remove the CA cert
try:
os.remove(CACERT)
@@ -2403,12 +2406,20 @@ def install(options, env, fstore, statestore):
return CLIENT_INSTALL_ERROR
root_logger.info("Configured /etc/sssd/sssd.conf")
+ # Add the CA to the platform-dependant systemwide CA store
+ ipaservices.insert_ca_cert_into_systemwide_ca_store(CACERT)
+
# Add the CA to the default NSS database and trust it
try:
- run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT])
+ root_logger.debug("Attempting to add CA directly to the "
+ "default NSS database.")
+ run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb",
+ "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT])
except CalledProcessError, e:
root_logger.info("Failed to add CA to the default NSS database.")
return CLIENT_INSTALL_ERROR
+ else:
+ root_logger.info('Added the CA to the default NSS database.')
host_principal = 'host/%s@%s' % (hostname, cli_realm)
if options.on_master: