cert renewal: import all external CA certs on IPA CA cert renewal

Import all external CA certs to the Dogtag NSS database on IPA CA cert renewal. This fixes Dogtag not being able to connect to DS which uses 3rd party server cert after ipa-certupdate. https://fedorahosted.org/freeipa/ticket/5595 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
author: Jan Cholasta <jcholast@redhat.com> 2016-01-21 08:58:56 +0100
committer: Tomas Babej <tbabej@redhat.com> 2016-01-27 14:38:10 +0100
commit: eaafeddf769c25bd44b490ae18ffb58e97df4963 (patch)
tree: 6b221e72c4d8742a442cef6dd05ff3a02c6421f6 /install/restart_scripts
parent: 6e1eb5bc8f83faa38203bd308896d0b15f359b24 (diff)
download: freeipa-eaafeddf769c25bd44b490ae18ffb58e97df4963.tar.gz
freeipa-eaafeddf769c25bd44b490ae18ffb58e97df4963.tar.xz
freeipa-eaafeddf769c25bd44b490ae18ffb58e97df4963.zip
1 files changed, 9 insertions, 19 deletions
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index 5f8646860..bfb726cdd 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -28,7 +28,6 @@ import shutil
 import traceback
 
 from ipapython import ipautil
-from ipapython.dn import DN
 from ipalib import api, errors, x509, certstore
 from ipaserver.install import certs, cainstance, installutils
 from ipaserver.plugins.ldap2 import ldap2
@@ -155,11 +154,9 @@ def _main():
                             "Updating CA certificate failed: %s" % e)
 
                 # Add external CA certificates
-                ca_issuer = str(x509.get_issuer(cert, x509.DER))
                 try:
-                    ca_certs = certstore.get_ca_certs(
-                        conn, api.env.basedn, api.env.realm, False,
-                        filter_subject=ca_issuer)
+                    ca_certs = certstore.get_ca_certs_nss(
+                        conn, api.env.basedn, api.env.realm, False)
                 except Exception as e:
                     syslog.syslog(
                         syslog.LOG_ERR,
@@ -167,25 +164,18 @@ def _main():
                         "%s" % e)
                     ca_certs = []
 
-                for ca_cert, ca_nick, ca_trusted, ca_eku in ca_certs:
-                    ca_subject = DN(str(x509.get_subject(ca_cert, x509.DER)))
-                    nick_base = ' - '.join(rdn[-1].value for rdn in ca_subject)
-                    nick = nick_base
-                    i = 1
-                    while db.has_nickname(nick):
-                        nick = '%s [%s]' % (nick_base, i)
-                        i += 1
-                    if ca_trusted is False:
-                        flags = 'p,p,p'
-                    else:
-                        flags = 'CT,c,'
-
+                for ca_cert, ca_nick, ca_flags in ca_certs:
                     try:
-                        db.add_cert(ca_cert, nick, flags)
+                        db.add_cert(ca_cert, ca_nick, ca_flags)
                     except ipautil.CalledProcessError as e:
                         syslog.syslog(
                             syslog.LOG_ERR,
                             "Failed to add certificate %s" % ca_nick)
+
+                # Pass Dogtag's self-tests
+                for ca_nick in db.find_root_cert(nickname)[-2:-1]:
+                    ca_flags = dict(cc[1:] for cc in ca_certs)[ca_nick]
+                    db.trust_root_cert(ca_nick, 'C' + ca_flags)
             finally:
                 if conn is not None and conn.isconnected():
                     conn.disconnect()
author	Jan Cholasta <jcholast@redhat.com>	2016-01-21 08:58:56 +0100
committer	Tomas Babej <tbabej@redhat.com>	2016-01-27 14:38:10 +0100
commit	eaafeddf769c25bd44b490ae18ffb58e97df4963 (patch)
tree	6b221e72c4d8742a442cef6dd05ff3a02c6421f6 /install/restart_scripts
parent	6e1eb5bc8f83faa38203bd308896d0b15f359b24 (diff)
download	freeipa-eaafeddf769c25bd44b490ae18ffb58e97df4963.tar.gz freeipa-eaafeddf769c25bd44b490ae18ffb58e97df4963.tar.xz freeipa-eaafeddf769c25bd44b490ae18ffb58e97df4963.zip