diff options
author | Martin Babinsky <mbabinsk@redhat.com> | 2016-10-25 15:55:35 +0200 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2016-11-11 12:13:56 +0100 |
commit | b1283c1e56976a3019c81c3be88fa821431ac6a6 (patch) | |
tree | a33c0a176a630a8ad33c5753358b5e155560670c /ipaserver | |
parent | 2fdc2d0cb7fa98992fe6c2070cb5dc34c500ac09 (diff) | |
download | freeipa-b1283c1e56976a3019c81c3be88fa821431ac6a6.tar.gz freeipa-b1283c1e56976a3019c81c3be88fa821431ac6a6.tar.xz freeipa-b1283c1e56976a3019c81c3be88fa821431ac6a6.zip |
initialize empty /etc/http/alias during server/replica install
In order to reduce coupling between httpinstance and other service installers,
the HTTP installer is now tasked with initialization of /etc/httpd/alias (RA
agent database) in the beginning of server/replica installation
Part of https://fedorahosted.org/freeipa/ticket/6429
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipaserver')
-rw-r--r-- | ipaserver/install/cainstance.py | 37 | ||||
-rw-r--r-- | ipaserver/install/httpinstance.py | 52 | ||||
-rw-r--r-- | ipaserver/install/server/install.py | 3 | ||||
-rw-r--r-- | ipaserver/install/server/replicainstall.py | 8 |
4 files changed, 42 insertions, 58 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 1c3128176..48b66e270 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -22,14 +22,12 @@ from __future__ import print_function import base64 -import binascii import dbus import ldap import os import pwd import re import shutil -import stat import sys import syslog import time @@ -388,10 +386,7 @@ class CAInstance(DogtagInstance): # Step 1 of external is getting a CSR so we don't need to do these # steps until we get a cert back from the external CA. if self.external != 1: - if self.create_ra_agent_db: - self.step("creating RA agent certificate database", self.__create_ra_agent_db) self.step("importing CA chain to RA certificate database", self.__import_ca_chain) - self.step("fixing RA database permissions", self.fix_ra_perms) self.step("setting up signing cert profile", self.__setup_sign_profile) self.step("setting audit signing renewal to 2 years", self.set_audit_renewal) self.step("configure certmonger for renewals", @@ -695,26 +690,6 @@ class CAInstance(DogtagInstance): new_args = new_args + args return ipautil.run(new_args, stdin, nolog=(pwd_file,), **kwargs) - def __create_ra_agent_db(self): - if ipautil.file_exists(self.ra_agent_db + "/cert8.db"): - ipautil.backup_file(self.ra_agent_db + "/cert8.db") - ipautil.backup_file(self.ra_agent_db + "/key3.db") - ipautil.backup_file(self.ra_agent_db + "/secmod.db") - ipautil.backup_file(self.ra_agent_db + "/pwdfile.txt") - - if not ipautil.dir_exists(self.ra_agent_db): - os.mkdir(self.ra_agent_db) - os.chmod(self.ra_agent_db, 0o755) - - # Create the password file for this db - hex_str = binascii.hexlify(os.urandom(10)) - f = os.open(self.ra_agent_pwd, os.O_CREAT | os.O_RDWR) - os.write(f, hex_str) - os.close(f) - os.chmod(self.ra_agent_pwd, stat.S_IRUSR) - - self.__run_certutil(["-N"]) - def __get_ca_chain(self): try: return dogtag.get_ca_certchain(ca_host=self.fqdn) @@ -844,17 +819,6 @@ class CAInstance(DogtagInstance): os.remove(agent_pwdfile) os.remove(chain_file) - def fix_ra_perms(self): - os.chmod(self.ra_agent_db + "/cert8.db", 0o640) - os.chmod(self.ra_agent_db + "/key3.db", 0o640) - os.chmod(self.ra_agent_db + "/secmod.db", 0o640) - - pent = pwd.getpwnam(constants.HTTPD_USER) - os.chown(self.ra_agent_db + "/cert8.db", 0, pent.pw_gid ) - os.chown(self.ra_agent_db + "/key3.db", 0, pent.pw_gid ) - os.chown(self.ra_agent_db + "/secmod.db", 0, pent.pw_gid ) - os.chown(self.ra_agent_pwd, pent.pw_uid, pent.pw_gid) - def __setup_sign_profile(self): # Tell the profile to automatically issue certs for RAs installutils.set_directive( @@ -1274,7 +1238,6 @@ class CAInstance(DogtagInstance): self.step("importing CA chain to RA certificate database", self.__import_ca_chain) - self.step("fixing RA database permissions", self.fix_ra_perms) self.step("setting up signing cert profile", self.__setup_sign_profile) self.step("setting audit signing renewal to 2 years", self.set_audit_renewal) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index bc36ccd05..e9f2af11a 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -19,6 +19,7 @@ from __future__ import print_function +import binascii import os import os.path import pwd @@ -69,6 +70,8 @@ NSS_CIPHER_SUITE = [ ] NSS_CIPHER_REVISION = '20160129' +NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt") + def httpd_443_configured(): """ @@ -306,6 +309,33 @@ class HTTPInstance(service.Service): if certmonger_stopped: certmonger.stop() + def create_cert_db(self): + database = certs.NSS_DIR + pwd_file = os.path.join(database, 'pwdfile.txt') + + for p in NSS_FILES: + nss_path = os.path.join(database, p) + ipautil.backup_file(nss_path) + + # Create the password file for this db + hex_str = binascii.hexlify(os.urandom(10)) + f = os.open(pwd_file, os.O_CREAT | os.O_RDWR) + os.write(f, hex_str) + os.close(f) + + ipautil.run([paths.CERTUTIL, "-d", database, "-f", pwd_file, "-N"]) + + self.fix_cert_db_perms() + + def fix_cert_db_perms(self): + pent = pwd.getpwnam(constants.HTTPD_USER) + + for filename in NSS_FILES: + nss_path = os.path.join(certs.NSS_DIR, filename) + os.chmod(nss_path, 0o640) + os.chown(nss_path, 0, pent.pw_gid) + tasks.restore_context(nss_path) + def __setup_ssl(self): db = certs.CertDB(self.realm, subject_base=self.subject_base) if self.pkcs12_info: @@ -313,9 +343,9 @@ class HTTPInstance(service.Service): trust_flags = 'CT,C,C' else: trust_flags = None - db.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], - passwd=None, ca_file=self.ca_file, - trust_flags=trust_flags) + db.init_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], + ca_file=self.ca_file, + trust_flags=trust_flags) server_certs = db.find_server_certs() if len(server_certs) == 0: raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0]) @@ -372,22 +402,6 @@ class HTTPInstance(service.Service): nickname = server_certs[0][0] db.export_ca_cert(nickname) - # Fix the database permissions - os.chmod(certs.NSS_DIR + "/cert8.db", 0o660) - os.chmod(certs.NSS_DIR + "/key3.db", 0o660) - os.chmod(certs.NSS_DIR + "/secmod.db", 0o660) - os.chmod(certs.NSS_DIR + "/pwdfile.txt", 0o660) - - pent = pwd.getpwnam(HTTPD_USER) - os.chown(certs.NSS_DIR + "/cert8.db", 0, pent.pw_gid ) - os.chown(certs.NSS_DIR + "/key3.db", 0, pent.pw_gid ) - os.chown(certs.NSS_DIR + "/secmod.db", 0, pent.pw_gid ) - os.chown(certs.NSS_DIR + "/pwdfile.txt", 0, pent.pw_gid ) - - # Fix SELinux permissions on the database - tasks.restore_context(certs.NSS_DIR + "/cert8.db") - tasks.restore_context(certs.NSS_DIR + "/key3.db") - def __import_ca_certs(self): db = certs.CertDB(self.realm, subject_base=self.subject_base) self.import_ca_certs(db, self.ca_is_configured) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index b5826f3f9..2140cc52f 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -716,6 +716,9 @@ def install(installer): if installer._update_hosts_file: update_hosts_file(ip_addresses, host_name, fstore) + http_instance = httpinstance.HTTPInstance() + http_instance.create_cert_db() + # Create DS user/group if it doesn't exist yet dsinstance.create_ds_user() diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index ca889fb4a..5ea93aea0 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -776,6 +776,9 @@ def install(installer): if installer._update_hosts_file: installutils.update_hosts_file(config.ips, config.host_name, fstore) + http_instance = httpinstance.HTTPInstance() + http_instance.create_cert_db() + ca_enabled = ipautil.file_exists(config.dir + "/cacert.p12") # Create DS user/group if it doesn't exist yet @@ -840,7 +843,6 @@ def install(installer): CA.configure_certmonger_renewal() CA.import_ra_cert(config.dir + "/ra.p12") - CA.fix_ra_perms() custodia = custodiainstance.CustodiaInstance(config.host_name, config.realm_name) @@ -1394,6 +1396,9 @@ def promote(installer): config.promote = installer.promote config.dirman_password = hexlify(ipautil.ipa_generate_password()) + http_instance = httpinstance.HTTPInstance() + http_instance.create_cert_db() + # FIXME: allow to use passed in certs instead if installer._ca_enabled: configure_certmonger() @@ -1476,7 +1481,6 @@ def promote(installer): CA.configure_certmonger_renewal() CA.configure_agent_renewal() cainstance.export_kra_agent_pem() - CA.fix_ra_perms() install_krb( config, |