From a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9 Mon Sep 17 00:00:00 2001 From: John Dennis Date: Thu, 15 Nov 2012 14:57:52 -0500 Subject: Use secure method to acquire IPA CA certificate Major changes ipa-client-install: * Use GSSAPI connection to LDAP server to download CA cert (now the default method) * Add --ca-cert-file option to load the CA cert from a disk file. Validate the file. If this option is used the supplied CA cert is considered definitive. * The insecure HTTP retrieval method is still supported but it must be explicitly forced and a warning will be emitted. * Remain backward compatible with unattended case (except for aberrant condition when preexisting /etc/ipa/ca.crt differs from securely obtained CA cert, see below) * If /etc/ipa/ca.crt CA cert preexists the validate it matches the securely acquired CA cert, if not: - If --unattended and not --force abort with error - If interactive query user to accept new CA cert, if not abort In either case warn user. * If interactive and LDAP retrieval fails prompt user if they want to proceed with insecure HTTP method * If not interactive and LDAP retrieval fails abort unless --force * Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution, if ipa-client-install fails it will be restored. Other changes: * Add new exception class CertificateInvalidError * Add utility convert_ldap_error() to ipalib.ipautil * Replace all hardcoded instances of /etc/ipa/ca.crt in ipa-client-install with CACERT constant (matches existing practice elsewhere). * ipadiscovery no longer retrieves CA cert via HTTP. * Handle LDAP minssf failures during discovery, treat failure to check ldap server as a warninbg in absebce of a provided CA certificate via --ca-cert-file or though existing /etc/ipa/ca.crt file. Signed-off-by: Simo Sorce Signed-off-by: Rob Crittenden --- ipaserver/install/certs.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'ipaserver/install') diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index bfbba08f..7b408586 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -227,7 +227,10 @@ class CertDB(object): if not subject_base: self.subject_base = DN(('O', 'IPA')) - self.cacert_name = get_ca_nickname(self.realm) + if self.self_signed_ca: + self.cacert_name = get_ca_nickname(self.realm, 'CN=%s Certificate Authority') + else: + self.cacert_name = get_ca_nickname(self.realm) self.valid_months = "120" self.keysize = "1024" -- cgit