summaryrefslogtreecommitdiffstats
path: root/ipaserver/install/certs.py
Commit message (Collapse)AuthorAgeFilesLines
* Create server and host certs with DNS altnameFraser Tweedale2016-07-191-2/+6
| | | | | | | | | | | | | | Currently server (HTTP / LDAP) certs are created without a Subject Alternative Name extension during server install, replica prepare and host enrolment, a potentially problematic violation of RFC 2818. Add the hostname as a SAN dNSName when these certs are created. (Certmonger adds an appropriate request extension when renewing the certificate, so nothing needs to be done for renewal). Fixes: https://fedorahosted.org/freeipa/ticket/4970 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Increased certmonger timeoutOleg Fayans2016-06-201-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/5758 Reviewed-By: Martin Basti <mbasti@redhat.com>
* pylint: remove bare exceptMartin Basti2016-03-221-1/+1
| | | | | | | Bare except should not be used. Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* Move freeipa certmonger helpers to libexecdir.Timo Aaltonen2016-02-261-5/+1
| | | | | | | | | | | The scripts in this directory are simple python scripts, nothing arch-specific in them. Having them under libexec would simplify the code a bit too, since there would be no need to worry about lib vs lib64 (which also cause trouble on Debian). https://fedorahosted.org/freeipa/ticket/5586 Reviewed-By: David Kupka <dkupka@redhat.com>
* Do not decode HTTP reason phrase from DogtagFraser Tweedale2016-01-131-4/+3
| | | | | | | | | | | | | | The HTTP reason phrase sent by Dogtag is assumed to be encoded in UTF-8, but the encoding used by Tomcat is dependent on system locale, causing decode errors in some locales. The reason phrase is optional and will not be sent in a future version of Tomcat[1], so do not bother decoding and returning it. [1] https://github.com/apache/tomcat/commit/707ab1c77f3bc189e1c3f29b641506db4c8bce37 Fixes: https://fedorahosted.org/freeipa/ticket/5578 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove unused importsMartin Basti2015-12-231-1/+0
| | | | | | | This patch removes unused imports, alse pylint has been configured to check unused imports. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Refactor ipautil.runPetr Viktorin2015-12-141-7/+10
| | | | | | | | | | | | | | | | | | | | | The ipautil.run function now returns an object with returncode and output are accessible as attributes. The stdout and stderr of all commands are logged (unless skip_output is given). The stdout/stderr contents must be explicitly requested with a keyword argument, otherwise they are None. This is because in Python 3, the output needs to be decoded, and that can fail if it's not decodable (human-readable) text. The raw (bytes) output is always available from the result object, as is "leniently" decoded output suitable for logging. All calls are changed to reflect this. A use of Popen in cainstance is changed to ipautil.run. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* install: drop support for Dogtag 9Jan Cholasta2015-11-251-8/+2
| | | | | | | | | | | Dogtag 9 CA and CA DS install and uninstall code was removed. Existing Dogtag 9 CA and CA DS instances are disabled on upgrade. Creating a replica of a Dogtag 9 IPA master is still supported. https://fedorahosted.org/freeipa/ticket/5197 Reviewed-By: David Kupka <dkupka@redhat.com>
* ipaplatform: Add HTTPD_USER to constants, and use it.Timo Aaltonen2015-11-041-2/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/5343 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Implement replica promotion functionalitySimo Sorce2015-10-151-0/+12
| | | | | | | | | | | | | | | | | | This patch implements a new flag --promote for the ipa-replica-install command that allows an administrative user to 'promote' an already joined client to become a full ipa server. The only credentials used are that of an administrator. This code relies on ipa-custodia being available on the peer master as well as a number of other patches to allow a computer account to request certificates for its services. Therefore this feature is marked to work only with domain level 1 and above servers. Ticket: https://fedorahosted.org/freeipa/ticket/2888 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use six.moves.configparser instead of ConfigParserPetr Viktorin2015-10-071-1/+2
| | | | | | | | The module name was lowercased in Python 3. Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Modernize 'except' clausesPetr Viktorin2015-08-121-3/+3
| | | | | | | The 'as' syntax works from Python 2 on, and Python 3 will drop the "comma" syntax. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Modernize number literalsPetr Viktorin2015-07-311-2/+2
| | | | | | | | | | | | | | Use Python-3 compatible syntax, without breaking compatibility with py 2.7 - Octals literals start with 0o to prevent confusion - The "L" at the end of large int literals is not required as they use long on Python 2 automatically. - Using 'int' instead of 'long' for small numbers is OK in all cases except strict type checking checking, e.g. type(0). https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add profile_id parameter to 'request_certificate'Fraser Tweedale2015-06-041-1/+1
| | | | | | | | | | | | Add the profile_id parameter to the 'request_certificate' function and update call sites. Also remove multiple occurrences of the default profile ID 'caIPAserviceCert'. Part of: https://fedorahosted.org/freeipa/ticket/57 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Make certificate renewal process synchronizedJan Cholasta2015-01-131-0/+104
| | | | | | | | Synchronization is achieved using a global renewal lock. https://fedorahosted.org/freeipa/ticket/4803 Reviewed-By: David Kupka <dkupka@redhat.com>
* certs: Fix incorrect flag handling in load_cacertTomas Babej2014-12-021-4/+2
| | | | | | | | | | | | | For CA certificates that are not certificates of IPA CA, we incorrectly set the trust flags to ",,", regardless what the actual trust_flags parameter was passed. Make the load_cacert method respect trust_flags and make it a required argument. https://fedorahosted.org/freeipa/ticket/4779 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Move NSSDatabase from ipaserver.certs to ipapython.certdbJan Cholasta2014-09-301-447/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4416 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Do stricter validation of CA certificatesJan Cholasta2014-09-301-0/+4
| | | | | | | | | Every CA certificate must have non-empty subject and basic constraints extension with the CA flag set. https://fedorahosted.org/freeipa/ticket/4477 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add NSSDatabase.import_files method for importing files in various formatsJan Cholasta2014-09-301-0/+191
| | | | | | | | | | The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. https://fedorahosted.org/freeipa/ticket/4480 https://fedorahosted.org/freeipa/ticket/4489 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use certmonger D-Bus API instead of messing with its files.David Kupka2014-09-051-23/+3
| | | | | | | | | | | | FreeIPA certmonger module changed to use D-Bus to communicate with certmonger. Using the D-Bus API should be more stable and supported way of using cermonger than tampering with its files. >=certmonger-0.75.13 is needed for this to work. https://fedorahosted.org/freeipa/ticket/4280 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix parsing of long nicknames in certutil -L output.Jan Cholasta2014-08-071-4/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4453 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add new NSSDatabase method get_cert for getting certs from NSS databases.Jan Cholasta2014-07-301-1/+13
| | | | | | Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Allow multiple CA certificates in replica info files.Jan Cholasta2014-07-301-1/+15
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add new add_cert method for adding certificates to NSSDatabase and CertDB.Jan Cholasta2014-07-301-8/+10
| | | | | | | | | | Replace all uses of NSSDatabase method add_single_pem_cert with add_cert and remove add_single_pem_cert. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Rename CertDB method add_cert to import_cert.Jan Cholasta2014-07-301-3/+3
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Fix trust flags in HTTP and DS NSS databases.Jan Cholasta2014-07-301-11/+11
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Allow specifying trust flags in NSSDatabase and CertDB method trust_root_cert.Jan Cholasta2014-07-301-4/+6
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Do not treat the IPA RA cert as CA cert in DS NSS database.Jan Cholasta2014-07-301-1/+1
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add method for verifying CA certificates to NSSDatabase.Jan Cholasta2014-07-301-0/+23
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* ipaplatform: Move all filesystem paths to ipaplatform.paths moduleTomas Babej2014-06-161-13/+14
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Remove redundant imports of ipaservicesTomas Babej2014-06-161-1/+0
| | | | | | | | Also fixes few incorrect imports. https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaplatform: Change service code in freeipa to use ipaplatform servicesTomas Babej2014-06-161-4/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Read passwords from stdin when importing PKCS#12 files with pk12util.Jan Cholasta2013-10-041-10/+12
| | | | | | | This works around pk12util refusing to use empty password files, which prevents the use of PKCS#12 files with empty password. https://fedorahosted.org/freeipa/ticket/3897
* Replace only the cert instead of the whole NSS DB in ipa-server-certinstall.Jan Cholasta2013-08-201-0/+6
| | | | https://fedorahosted.org/freeipa/ticket/3641
* Remove unused NSSDatabase and CertDB method find_root_cert_from_pkcs12.Jan Cholasta2013-08-201-44/+0
| | | | https://fedorahosted.org/freeipa/ticket/3641
* Prevent *.pyo and *.pyc multilib problemsMartin Kosek2013-08-131-1/+1
| | | | | | | | | | | | | Differences in the python byte code fails in a build validation (rpmdiff) done on difference architecture of the same package. This patch: 1) Ensures that timestamps of generated *.pyo and *.pyc files match 2) Python integer literals greater or equal 2^32 and lower than 2^64 are converted to long right away to prevent different type of the integer on architectures with different size of int https://fedorahosted.org/freeipa/ticket/3858
* Properly handle non-existent cert filesAna Krivokapic2013-07-181-2/+11
| | | | https://fedorahosted.org/freeipa/ticket/3785
* Skip empty lines when parsing pk12util output.Jan Cholasta2013-06-121-1/+1
|
* Handle exceptions gracefully when verifying PKCS#12 files.Jan Cholasta2013-06-121-1/+7
| | | | https://fedorahosted.org/freeipa/ticket/3667
* Drop --selfsign server functionalityPetr Viktorin2013-04-151-481/+102
| | | | | Design: http://freeipa.org/page/V3/Drop_selfsign_functionality Ticket: https://fedorahosted.org/freeipa/ticket/3494
* Load the CA cert into server NSS databasesPetr Viktorin2013-04-021-2/+9
| | | | | | | | | The CA cert was not loaded, so if it was missing from the PKCS#12 file, installation would fail. Pass the cert filename to the server installers and include it in the NSS DB. Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
* Support installing with custom SSL certs, without a CAPetr Viktorin2013-04-021-6/+54
| | | | | Design: http://freeipa.org/page/V3/CA-less_install https://fedorahosted.org/freeipa/ticket/3363
* Trust CAs from PKCS#12 files even if they don't have Friendly NamesPetr Viktorin2013-04-021-1/+2
| | | | | Instead of trusting all certificates with friendly names, now all certs without a "u" flag are trusted as root certs.
* ipaserver.install.certs: Introduce NSSDatabase as a more generic certutil ↵Petr Viktorin2013-04-021-95/+191
| | | | | | | | | | | | | | wrapper The CertDB class was meant to be a wrapper around NSS databases, certutil, pk12util, etc. Unfortunately, over time it grew too dependent on the particular scenarios it is used in. Introduce a new class that has no knowledge about IPA configuration, and move generic code to it. In the future, generic code should be moved to NSSDatabase, code for the self-signed CA should be removed, and IPA-specific code may stay in CertDB (which calls NSSDatabase).
* Remove unused imports from ipaserver/installPetr Viktorin2013-03-011-11/+2
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Drop ipapython.compat.Jan Cholasta2013-02-011-2/+1
|
* Use secure method to acquire IPA CA certificateJohn Dennis2013-01-231-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Major changes ipa-client-install: * Use GSSAPI connection to LDAP server to download CA cert (now the default method) * Add --ca-cert-file option to load the CA cert from a disk file. Validate the file. If this option is used the supplied CA cert is considered definitive. * The insecure HTTP retrieval method is still supported but it must be explicitly forced and a warning will be emitted. * Remain backward compatible with unattended case (except for aberrant condition when preexisting /etc/ipa/ca.crt differs from securely obtained CA cert, see below) * If /etc/ipa/ca.crt CA cert preexists the validate it matches the securely acquired CA cert, if not: - If --unattended and not --force abort with error - If interactive query user to accept new CA cert, if not abort In either case warn user. * If interactive and LDAP retrieval fails prompt user if they want to proceed with insecure HTTP method * If not interactive and LDAP retrieval fails abort unless --force * Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution, if ipa-client-install fails it will be restored. Other changes: * Add new exception class CertificateInvalidError * Add utility convert_ldap_error() to ipalib.ipautil * Replace all hardcoded instances of /etc/ipa/ca.crt in ipa-client-install with CACERT constant (matches existing practice elsewhere). * ipadiscovery no longer retrieves CA cert via HTTP. * Handle LDAP minssf failures during discovery, treat failure to check ldap server as a warninbg in absebce of a provided CA certificate via --ca-cert-file or though existing /etc/ipa/ca.crt file. Signed-off-by: Simo Sorce <simo@redhat.com> Signed-off-by: Rob Crittenden <rcritten@redhat.com>
* Use correct Dogtag port in ipaserver.install.certsPetr Viktorin2012-09-201-2/+2
| | | | | On an instance upgraded from Dogtag 9 to Dogtag 10, ipa-replica-prepare used the wrong port number. Fix that.
* Use Dogtag 10 only when it is availablePetr Viktorin2012-09-171-4/+14
| | | | | | | | | | | Put the changes from Ade's dogtag 10 patch into namespaced constants in dogtag.py, which are then referenced in the code. Make ipaserver.install.CAInstance use the service name specified in the configuration. Uninstallation, where config is removed before CA uninstall, also uses the (previously) configured value. This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
* Internationalization for public errorsPetr Viktorin2012-09-031-2/+4
| | | | | | | | | | | | Currently, we throw many public exceptions without proper i18n. Wrap natural-language error messages in _() so they can be translated. In the service plugin, raise NotFound errors using handle_not_found helper so the error message contains the offending service. Use ScriptError instead of NotFoundError in bindinstance install. https://fedorahosted.org/freeipa/ticket/1953
generated by cgit (git 2.34.1) at 2025-09-02 23:23:06 +0000