diff options
author | Jan Cholasta <jcholast@redhat.com> | 2016-01-21 08:58:56 +0100 |
---|---|---|
committer | Tomas Babej <tbabej@redhat.com> | 2016-01-27 14:38:10 +0100 |
commit | eaafeddf769c25bd44b490ae18ffb58e97df4963 (patch) | |
tree | 6b221e72c4d8742a442cef6dd05ff3a02c6421f6 /install/restart_scripts | |
parent | 6e1eb5bc8f83faa38203bd308896d0b15f359b24 (diff) | |
download | freeipa-eaafeddf769c25bd44b490ae18ffb58e97df4963.tar.gz freeipa-eaafeddf769c25bd44b490ae18ffb58e97df4963.tar.xz freeipa-eaafeddf769c25bd44b490ae18ffb58e97df4963.zip |
cert renewal: import all external CA certs on IPA CA cert renewal
Import all external CA certs to the Dogtag NSS database on IPA CA cert
renewal. This fixes Dogtag not being able to connect to DS which uses 3rd
party server cert after ipa-certupdate.
https://fedorahosted.org/freeipa/ticket/5595
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Diffstat (limited to 'install/restart_scripts')
-rw-r--r-- | install/restart_scripts/renew_ca_cert | 28 |
1 files changed, 9 insertions, 19 deletions
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index 5f8646860..bfb726cdd 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -28,7 +28,6 @@ import shutil import traceback from ipapython import ipautil -from ipapython.dn import DN from ipalib import api, errors, x509, certstore from ipaserver.install import certs, cainstance, installutils from ipaserver.plugins.ldap2 import ldap2 @@ -155,11 +154,9 @@ def _main(): "Updating CA certificate failed: %s" % e) # Add external CA certificates - ca_issuer = str(x509.get_issuer(cert, x509.DER)) try: - ca_certs = certstore.get_ca_certs( - conn, api.env.basedn, api.env.realm, False, - filter_subject=ca_issuer) + ca_certs = certstore.get_ca_certs_nss( + conn, api.env.basedn, api.env.realm, False) except Exception as e: syslog.syslog( syslog.LOG_ERR, @@ -167,25 +164,18 @@ def _main(): "%s" % e) ca_certs = [] - for ca_cert, ca_nick, ca_trusted, ca_eku in ca_certs: - ca_subject = DN(str(x509.get_subject(ca_cert, x509.DER))) - nick_base = ' - '.join(rdn[-1].value for rdn in ca_subject) - nick = nick_base - i = 1 - while db.has_nickname(nick): - nick = '%s [%s]' % (nick_base, i) - i += 1 - if ca_trusted is False: - flags = 'p,p,p' - else: - flags = 'CT,c,' - + for ca_cert, ca_nick, ca_flags in ca_certs: try: - db.add_cert(ca_cert, nick, flags) + db.add_cert(ca_cert, ca_nick, ca_flags) except ipautil.CalledProcessError as e: syslog.syslog( syslog.LOG_ERR, "Failed to add certificate %s" % ca_nick) + + # Pass Dogtag's self-tests + for ca_nick in db.find_root_cert(nickname)[-2:-1]: + ca_flags = dict(cc[1:] for cc in ca_certs)[ca_nick] + db.trust_root_cert(ca_nick, 'C' + ca_flags) finally: if conn is not None and conn.isconnected(): conn.disconnect() |