diff options
author | Martin Babinsky <mbabinsk@redhat.com> | 2016-10-25 15:55:35 +0200 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2016-11-11 12:13:56 +0100 |
commit | b1283c1e56976a3019c81c3be88fa821431ac6a6 (patch) | |
tree | a33c0a176a630a8ad33c5753358b5e155560670c /ipaserver/install/httpinstance.py | |
parent | 2fdc2d0cb7fa98992fe6c2070cb5dc34c500ac09 (diff) | |
download | freeipa-b1283c1e56976a3019c81c3be88fa821431ac6a6.tar.gz freeipa-b1283c1e56976a3019c81c3be88fa821431ac6a6.tar.xz freeipa-b1283c1e56976a3019c81c3be88fa821431ac6a6.zip |
initialize empty /etc/http/alias during server/replica install
In order to reduce coupling between httpinstance and other service installers,
the HTTP installer is now tasked with initialization of /etc/httpd/alias (RA
agent database) in the beginning of server/replica installation
Part of https://fedorahosted.org/freeipa/ticket/6429
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipaserver/install/httpinstance.py')
-rw-r--r-- | ipaserver/install/httpinstance.py | 52 |
1 files changed, 33 insertions, 19 deletions
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index bc36ccd05..e9f2af11a 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -19,6 +19,7 @@ from __future__ import print_function +import binascii import os import os.path import pwd @@ -69,6 +70,8 @@ NSS_CIPHER_SUITE = [ ] NSS_CIPHER_REVISION = '20160129' +NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt") + def httpd_443_configured(): """ @@ -306,6 +309,33 @@ class HTTPInstance(service.Service): if certmonger_stopped: certmonger.stop() + def create_cert_db(self): + database = certs.NSS_DIR + pwd_file = os.path.join(database, 'pwdfile.txt') + + for p in NSS_FILES: + nss_path = os.path.join(database, p) + ipautil.backup_file(nss_path) + + # Create the password file for this db + hex_str = binascii.hexlify(os.urandom(10)) + f = os.open(pwd_file, os.O_CREAT | os.O_RDWR) + os.write(f, hex_str) + os.close(f) + + ipautil.run([paths.CERTUTIL, "-d", database, "-f", pwd_file, "-N"]) + + self.fix_cert_db_perms() + + def fix_cert_db_perms(self): + pent = pwd.getpwnam(constants.HTTPD_USER) + + for filename in NSS_FILES: + nss_path = os.path.join(certs.NSS_DIR, filename) + os.chmod(nss_path, 0o640) + os.chown(nss_path, 0, pent.pw_gid) + tasks.restore_context(nss_path) + def __setup_ssl(self): db = certs.CertDB(self.realm, subject_base=self.subject_base) if self.pkcs12_info: @@ -313,9 +343,9 @@ class HTTPInstance(service.Service): trust_flags = 'CT,C,C' else: trust_flags = None - db.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], - passwd=None, ca_file=self.ca_file, - trust_flags=trust_flags) + db.init_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], + ca_file=self.ca_file, + trust_flags=trust_flags) server_certs = db.find_server_certs() if len(server_certs) == 0: raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0]) @@ -372,22 +402,6 @@ class HTTPInstance(service.Service): nickname = server_certs[0][0] db.export_ca_cert(nickname) - # Fix the database permissions - os.chmod(certs.NSS_DIR + "/cert8.db", 0o660) - os.chmod(certs.NSS_DIR + "/key3.db", 0o660) - os.chmod(certs.NSS_DIR + "/secmod.db", 0o660) - os.chmod(certs.NSS_DIR + "/pwdfile.txt", 0o660) - - pent = pwd.getpwnam(HTTPD_USER) - os.chown(certs.NSS_DIR + "/cert8.db", 0, pent.pw_gid ) - os.chown(certs.NSS_DIR + "/key3.db", 0, pent.pw_gid ) - os.chown(certs.NSS_DIR + "/secmod.db", 0, pent.pw_gid ) - os.chown(certs.NSS_DIR + "/pwdfile.txt", 0, pent.pw_gid ) - - # Fix SELinux permissions on the database - tasks.restore_context(certs.NSS_DIR + "/cert8.db") - tasks.restore_context(certs.NSS_DIR + "/key3.db") - def __import_ca_certs(self): db = certs.CertDB(self.realm, subject_base=self.subject_base) self.import_ca_certs(db, self.ca_is_configured) |