diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2013-07-15 08:12:14 +0000 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2013-08-20 16:19:08 +0200 |
| commit | 7dbbb8bedc39c76e8484f945f2db54f930d9e109 (patch) | |
| tree | 79b319f2119b4830f341d175b591564922599860 | |
| parent | ae5661aec85fec6ea68fc3d4ff59b70d1587c53c (diff) | |
| download | freeipa.git-7dbbb8bedc39c76e8484f945f2db54f930d9e109.tar.gz freeipa.git-7dbbb8bedc39c76e8484f945f2db54f930d9e109.tar.xz freeipa.git-7dbbb8bedc39c76e8484f945f2db54f930d9e109.zip | |
Replace only the cert instead of the whole NSS DB in ipa-server-certinstall.
https://fedorahosted.org/freeipa/ticket/3641
| -rw-r--r-- | ipaserver/install/certs.py | 6 | ||||
| -rw-r--r-- | ipaserver/install/ipa_server_certinstall.py | 30 |
2 files changed, 23 insertions, 13 deletions
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 7ad4c508..f1b92fdb 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -245,6 +245,9 @@ class NSSDatabase(object): "-a"], stdin=cert) + def delete_cert(self, nick): + self.run_certutil(["-D", "-n", nick]) + def verify_server_cert_validity(self, nickname, hostname): """Verify a certificate is valid for a SSL server with given hostname @@ -715,6 +718,9 @@ class CertDB(object): "-f", self.passwd_fname] self.run_certutil(args) + def delete_cert(self, nickname): + self.nssdb.delete_cert(nickname) + def create_pin_file(self): """ This is the format of Directory Server pin files. diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py index b2070177..e4676098 100644 --- a/ipaserver/install/ipa_server_certinstall.py +++ b/ipaserver/install/ipa_server_certinstall.py @@ -102,19 +102,19 @@ class ServerCertInstall(admintool.AdminTool): serverid = dsinstance.realm_to_serverid(api.env.realm) dirname = dsinstance.config_dirname(serverid) - pwdfile = os.path.join(dirname, 'pwdfile.txt') - with open(pwdfile) as fd: - passwd = fd.read() - - server_cert = self.import_cert(dirname, self.options.dirsrv_pin, passwd) - conn = ldap2(shared_instance=False, base_dn='') conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=self.dm_password) - entry = conn.make_entry(DN(('cn', 'RSA'), ('cn', 'encryption'), - ('cn', 'config')), - nssslpersonalityssl=[server_cert]) + entry = conn.get_entry(DN(('cn', 'RSA'), ('cn', 'encryption'), + ('cn', 'config')), + ['nssslpersonalityssl']) + old_cert = entry.single_value('nssslpersonalityssl') + + server_cert = self.import_cert(dirname, self.options.dirsrv_pin, + old_cert) + + entry['nssslpersonalityssl'] = [server_cert] try: conn.update_entry(entry) except errors.EmptyModlist: @@ -125,7 +125,11 @@ class ServerCertInstall(admintool.AdminTool): def install_http_cert(self): dirname = certs.NSS_DIR - server_cert = self.import_cert(dirname, self.options.http_pin, "") + old_cert = installutils.get_directive(httpinstance.NSS_CONF, + 'NSSNickname') + + server_cert = self.import_cert(dirname, self.options.http_pin, + old_cert) installutils.set_directive(httpinstance.NSS_CONF, 'NSSNickname', server_cert) @@ -140,7 +144,7 @@ class ServerCertInstall(admintool.AdminTool): os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid) os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid) - def import_cert(self, dirname, pkcs12_passwd, db_password): + def import_cert(self, dirname, pkcs12_passwd, old_cert): pw = write_tmp_file(pkcs12_passwd) server_cert = installutils.check_pkcs12( pkcs12_info=(self.pkcs12_fname, pw.name), @@ -149,8 +153,8 @@ class ServerCertInstall(admintool.AdminTool): cdb = certs.CertDB(api.env.realm, nssdir=dirname) try: - cdb.create_from_pkcs12(self.pkcs12_fname, pw.name, - db_password, CACERT) + cdb.delete_cert(old_cert) + cdb.import_pkcs12(self.pkcs12_fname, pw.name) except RuntimeError, e: raise admintool.ScriptError(str(e)) |