Moving ipaCert from HTTPD_ALIAS_DIR

The "ipaCert" nicknamed certificate is not required to be in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy of this file in a separate file anyway. Remove it from there and track only the file. Remove the IPA_RADB_DIR as well as it is not required anymore. https://fedorahosted.org/freeipa/ticket/5695 https://fedorahosted.org/freeipa/ticket/6680 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
author: Stanislav Laznicka <slaznick@redhat.com> 2017-01-13 09:08:42 +0100
committer: Jan Cholasta <jcholast@redhat.com> 2017-03-01 09:43:41 +0000
commit: 5ab85b365ae886558b1f077b0d039a0d24bebfa7 (patch)
tree: 270e8328af5b0d7934e55b81928a2417daa95985 /ipaserver/install/plugins
parent: 24b134c633390343ba76e4091fa612650976280a (diff)
download: freeipa-5ab85b365ae886558b1f077b0d039a0d24bebfa7.tar.gz
freeipa-5ab85b365ae886558b1f077b0d039a0d24bebfa7.tar.xz
freeipa-5ab85b365ae886558b1f077b0d039a0d24bebfa7.zip
2 files changed, 38 insertions, 53 deletions
diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py
index 2447a3406..99503adfe 100644
--- a/ipaserver/install/plugins/ca_renewal_master.py
+++ b/ipaserver/install/plugins/ca_renewal_master.py
@@ -74,17 +74,16 @@ class update_ca_renewal_master(Updater):
                 return False, []
 
         criteria = {
-            'cert-database': paths.HTTPD_ALIAS_DIR,
-            'cert-nickname': 'ipaCert',
+            'cert-file': paths.RA_AGENT_PEM,
         }
         request_id = certmonger.get_request_id(criteria)
         if request_id is not None:
-            self.debug("found certmonger request for ipaCert")
+            self.debug("found certmonger request for RA cert")
 
             ca_name = certmonger.get_request_value(request_id, 'ca-name')
             if ca_name is None:
                 self.warning(
-                    "certmonger request for ipaCert is missing ca_name, "
+                    "certmonger request for RA cert is missing ca_name, "
                     "assuming local CA is renewal slave")
                 return False, []
             ca_name = ca_name.strip()
@@ -97,11 +96,11 @@ class update_ca_renewal_master(Updater):
                 return False, []
             else:
                 self.warning(
-                    "certmonger request for ipaCert has unknown ca_name '%s', "
+                    "certmonger request for RA cert has unknown ca_name '%s', "
                     "assuming local CA is renewal slave", ca_name)
                 return False, []
         else:
-            self.debug("certmonger request for ipaCert not found")
+            self.debug("certmonger request for RA cert not found")
 
             config = installutils.get_directive(
                 paths.CA_CS_CFG_PATH, 'subsystem.select', '=')
diff --git a/ipaserver/install/plugins/update_ra_cert_store.py b/ipaserver/install/plugins/update_ra_cert_store.py
index e4c0ac528..937f9c59f 100644
--- a/ipaserver/install/plugins/update_ra_cert_store.py
+++ b/ipaserver/install/plugins/update_ra_cert_store.py
@@ -2,15 +2,15 @@
 # Copyright (C) 2016  FreeIPA Contributors see COPYING for license
 #
 
-import binascii
 import os
+import tempfile
 
 from ipalib import Registry
 from ipalib import Updater
-from ipalib.constants import IPAAPI_USER, IPAAPI_GROUP
 from ipalib.install import certmonger
 from ipaplatform.paths import paths
-from ipapython import certdb
+from ipapython.certdb import NSSDatabase
+from ipaserver.install import cainstance
 
 register = Registry()
 
@@ -18,58 +18,44 @@ register = Registry()
 @register()
 class update_ra_cert_store(Updater):
     """
-    Moves the cert store from /etc/httpd/alias to /var/lib/ipa/radb
+    Moves the ipaCert store from /etc/httpd/alias RA_AGENT_PEM, RA_AGENT_KEY
+    files
     """
 
     def execute(self, **options):
+        ra_nick = 'ipaCert'
         ca_enabled = self.api.Command.ca_is_enabled()['result']
         if not ca_enabled:
             return False, []
 
-        olddb = certdb.NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR)
-        if not olddb.has_nickname('ipaCert'):
+        certdb = NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR)
+        if not certdb.has_nickname(ra_nick):
             # Nothign to do
             return False, []
-
-        newdb = certdb.NSSDatabase(nssdir=paths.IPA_RADB_DIR)
-        if os.path.exists(paths.IPA_RADB_DIR):
-            if newdb.has_nickname('ipaCert'):
-                self.log.warning(
-                    "An 'ipaCert' nickname exists in both the old {} and the "
-                    "new {} NSS Databases!".format(paths.HTTPD_ALIAS_DIR,
-                                                   paths.IPA_RADB_DIR))
-                return False, []
-        else:
-            # Create the DB
-            newdb.create_db(user=IPAAPI_USER, group=IPAAPI_GROUP, backup=True)
-
-        # Import cert chain (ignore errors, as certs may already be imported)
-        certlist = olddb.list_certs()
-        certflags = {}
-        for name, flags in certlist:
-            certflags[name] = flags
-        for name in olddb.get_trust_chain('ipaCert'):
-            if name == 'ipaCert':
-                continue
-            try:
-                cert = olddb.get_cert(name, pem=True)
-                newdb.add_cert(cert, name, certflags[name], pem=True)
-            except Exception as e:  # pylint disable=broad-except
-                self.log.warning("Failed to import '{}' from trust "
-                                 "chain: {}".format(name, str(e)))
-
-        # As the last step export/import/delete the RA Cert
-        pw = binascii.hexlify(os.urandom(10))
-        p12file = os.path.join(paths.IPA_RADB_DIR, 'ipaCert.p12')
-        olddb.export_pkcs12('ipaCert', p12file, pw)
-        newdb.import_pkcs12(p12file, pw)
-
-        certmonger.stop_tracking(secdir=olddb.secdir,
-                                 nickname='ipaCert')
-        certmonger.start_tracking(certpath=newdb.secdir,
-                                  nickname='ipaCert',
-                                  pinfile=newdb.pwd_file)
-
-        olddb.delete_cert('ipaCert')
+        elif os.path.exists(paths.RA_AGENT_PEM):
+            # even though the certificate file exists, we will overwrite it
+            # as it's probabably something wrong anyway
+            self.log.warning(
+                "A certificate with the nickname 'ipaCert' exists in "
+                "the old '{}' NSS database as well as in the new "
+                "PEM file '{}'"
+                .format(paths.HTTPD_ALIAS_DIR, paths.RA_AGENT_PEM))
+
+        _fd, p12file = tempfile.mkstemp(dir=certdb.secdir)
+        # no password is necessary as we will be saving it in clear anyway
+        certdb.export_pkcs12(ra_nick, p12file, pkcs12_passwd='')
+
+        # stop tracking the old cert and remove it
+        certmonger.stop_tracking(paths.HTTPD_ALIAS_DIR, nickname=ra_nick)
+        certdb.delete_cert(ra_nick)
+        if os.path.exists(paths.OLD_KRA_AGENT_PEM):
+            os.remove(paths.OLD_KRA_AGENT_PEM)
+
+        # get the private key and certificate from the file and start
+        # tracking it in certmonger
+        ca = cainstance.CAInstance()
+        ca.import_ra_cert(p12file)
+
+        os.remove(p12file)
 
         return False, []
author	Stanislav Laznicka <slaznick@redhat.com>	2017-01-13 09:08:42 +0100
committer	Jan Cholasta <jcholast@redhat.com>	2017-03-01 09:43:41 +0000
commit	5ab85b365ae886558b1f077b0d039a0d24bebfa7 (patch)
tree	270e8328af5b0d7934e55b81928a2417daa95985 /ipaserver/install/plugins
parent	24b134c633390343ba76e4091fa612650976280a (diff)
download	freeipa-5ab85b365ae886558b1f077b0d039a0d24bebfa7.tar.gz freeipa-5ab85b365ae886558b1f077b0d039a0d24bebfa7.tar.xz freeipa-5ab85b365ae886558b1f077b0d039a0d24bebfa7.zip