Remove ipa-ca.crt from systemwide CA store on client uninstall and cert update

The file was used by previous versions of IPA to provide the IPA CA certificate to p11-kit and has since been obsoleted by ipa.p11-kit, a file which contains all the CA certificates and associated trust policy from the LDAP certificate store. Since p11-kit is hooked into /etc/httpd/alias, ipa-ca.crt must be removed to prevent certificate import failures in installer code. Also add ipa.p11-kit to the files owned by the freeipa-python package. https://fedorahosted.org/freeipa/ticket/3259 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
author: Jan Cholasta <jcholast@redhat.com> 2014-09-17 15:04:11 +0200
committer: Martin Kosek <mkosek@redhat.com> 2014-09-30 10:01:38 +0200
commit: 734afdf936913726b0310ca1d24731b1bdf1b5bd (patch)
tree: 8e7b3a0d2fbaf920882c773f3621bea494c8d938
parent: 4e680467517365caca596244ffc86e69037bde83 (diff)
download: freeipa-734afdf936913726b0310ca1d24731b1bdf1b5bd.tar.gz
freeipa-734afdf936913726b0310ca1d24731b1bdf1b5bd.tar.xz
freeipa-734afdf936913726b0310ca1d24731b1bdf1b5bd.zip
3 files changed, 30 insertions, 10 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 6e9747fde..b0d4b06a0 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -815,6 +815,7 @@ fi
 %ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db
 %ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db
 %ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt
+%ghost %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit
 
 %if ! %{ONLY_CLIENT}
 %files tests -f tests-python.list
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index a810e6573..1d936016a 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -80,6 +80,7 @@ class BasePathNamespace(object):
     PAM_LDAP_CONF = "/etc/pam_ldap.conf"
     PASSWD = "/etc/passwd"
     ETC_PKI_CA_DIR = "/etc/pki-ca"
+    SYSTEMWIDE_CA_STORE = "/etc/pki/ca-trust/source/anchors/"
     IPA_P11_KIT = "/etc/pki/ca-trust/source/ipa.p11-kit"
     NSS_DB_DIR = "/etc/pki/nssdb"
     NSSDB_CERT8_DB = "/etc/pki/nssdb/cert8.db"
diff --git a/ipaplatform/fedora/tasks.py b/ipaplatform/fedora/tasks.py
index 9f4a76b82..351f523c1 100644
--- a/ipaplatform/fedora/tasks.py
+++ b/ipaplatform/fedora/tasks.py
@@ -158,6 +158,16 @@ class FedoraTaskNamespace(BaseTaskNamespace):
         auth_config.execute()
 
     def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
+        new_cacert_path = os.path.join(paths.SYSTEMWIDE_CA_STORE, 'ipa-ca.crt')
+
+        if os.path.exists(new_cacert_path):
+            try:
+                os.remove(new_cacert_path)
+            except OSError, e:
+                root_logger.error(
+                    "Could not remove %s: %s", new_cacert_path, e)
+                return False
+
         new_cacert_path = paths.IPA_P11_KIT
 
         try:
@@ -250,25 +260,33 @@ class FedoraTaskNamespace(BaseTaskNamespace):
         return False
 
     def remove_ca_certs_from_systemwide_ca_store(self):
-        new_cacert_path = paths.IPA_P11_KIT
+        ipa_ca_crt = os.path.join(paths.SYSTEMWIDE_CA_STORE, 'ipa-ca.crt')
+        update = False
 
         # Remove CA cert from systemwide store
-        if os.path.exists(new_cacert_path):
+        for new_cacert_path in (paths.IPA_P11_KIT, ipa_ca_crt):
+            if not os.path.exists(new_cacert_path):
+                continue
             try:
                 os.remove(new_cacert_path)
-                ipautil.run([paths.UPDATE_CA_TRUST])
             except OSError, e:
-                root_logger.error('Could not remove: %s, %s'
-                                   % (new_cacert_path, str(e)))
-                return False
+                root_logger.error(
+                    "Could not remove %s: %s", new_cacert_path, e)
+            else:
+                update = True
+
+        if update:
+            try:
+                ipautil.run([paths.UPDATE_CA_TRUST])
             except CalledProcessError, e:
-                root_logger.error('Could not update systemwide CA trust '
-                                  'database: %s' % str(e))
+                root_logger.error(
+                    "Could not update systemwide CA trust database: %s", e)
                 return False
             else:
-                root_logger.info('Systemwide CA database updated.')
+                root_logger.info("Systemwide CA database updated.")
+                return True
 
-        return True
+        return False
 
     def backup_and_replace_hostname(self, fstore, statestore, hostname):
         old_hostname = socket.gethostname()
author	Jan Cholasta <jcholast@redhat.com>	2014-09-17 15:04:11 +0200
committer	Martin Kosek <mkosek@redhat.com>	2014-09-30 10:01:38 +0200
commit	734afdf936913726b0310ca1d24731b1bdf1b5bd (patch)
tree	8e7b3a0d2fbaf920882c773f3621bea494c8d938
parent	4e680467517365caca596244ffc86e69037bde83 (diff)
download	freeipa-734afdf936913726b0310ca1d24731b1bdf1b5bd.tar.gz freeipa-734afdf936913726b0310ca1d24731b1bdf1b5bd.tar.xz freeipa-734afdf936913726b0310ca1d24731b1bdf1b5bd.zip