diff options
author | Jan Cholasta <jcholast@redhat.com> | 2014-11-10 16:24:22 +0000 |
---|---|---|
committer | Petr Viktorin <pviktori@dhcp-31-13.brq.redhat.com> | 2014-11-11 16:13:52 +0100 |
commit | 2639997dfee43d66e94ef9b5441289816c465e7d (patch) | |
tree | 6a945b35e5fe6473d4dbfa9d9f8dc195e54caa3e /ipaserver/install/ipa_restore.py | |
parent | 8248f696275e2e63dab860a25467e2868aa17036 (diff) | |
download | freeipa-2639997dfee43d66e94ef9b5441289816c465e7d.tar.gz freeipa-2639997dfee43d66e94ef9b5441289816c465e7d.tar.xz freeipa-2639997dfee43d66e94ef9b5441289816c465e7d.zip |
Fix CA certificate backup and restore
Backup and restore /etc/pki/ca-trust/source/ipa.p11-kit.
Create /etc/ipa/nssdb after restore if necessary.
https://fedorahosted.org/freeipa/ticket/4711
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'ipaserver/install/ipa_restore.py')
-rw-r--r-- | ipaserver/install/ipa_restore.py | 35 |
1 files changed, 34 insertions, 1 deletions
diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index cfe3dff9f..7276ed305 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -26,7 +26,7 @@ import pwd from ConfigParser import SafeConfigParser from ipalib import api, errors -from ipapython import version +from ipapython import version, ipautil, certdb from ipapython.ipautil import run, user_input from ipapython import admintool from ipapython.dn import DN @@ -277,7 +277,9 @@ class Restore(admintool.AdminTool): create_ca_user() if options.online: raise admintool.ScriptError('File restoration cannot be done online.') + self.cert_restore_prepare() self.file_restore(options.no_logs) + self.cert_restore() if 'CA' in self.backup_services: self.__create_dogtag_log_dirs() @@ -659,3 +661,34 @@ class Restore(admintool.AdminTool): tasks.set_selinux_booleans(bools) except ipapython.errors.SetseboolError as e: self.log.error('%s', e) + + def cert_restore_prepare(self): + for basename in ('cert8.db', 'key3.db', 'secmod.db', 'pwdfile.txt'): + filename = os.path.join(paths.IPA_NSSDB_DIR, basename) + try: + ipautil.backup_file(filename) + except OSError as e: + self.log.error("Failed to backup %s: %s" % (filename, e)) + + tasks.remove_ca_certs_from_systemwide_ca_store() + + def cert_restore(self): + if not os.path.exists(os.path.join(paths.IPA_NSSDB_DIR, 'cert8.db')): + certdb.create_ipa_nssdb() + ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR) + sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR) + for nickname, trust_flags in (('IPA CA', 'CT,C,C'), + ('External CA cert', 'C,,')): + try: + cert = sys_db.get_cert(nickname) + except RuntimeError: + pass + else: + try: + ipa_db.add_cert(cert, nickname, trust_flags) + except ipautil.CalledProcessError as e: + self.log.error( + "Failed to add %s to %s: %s" % + (nickname, paths.IPA_NSSDB_DIR, e)) + + tasks.reload_systemwide_ca_store() |