From ef39e1b02a2ef965997d38fc7b72d5ee1542d44b Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Mon, 8 Jul 2019 11:25:13 +0200 Subject: upgrade: remove ipaCert and key from /etc/httpd/alias With ipa 4.5+, the RA cert is stored in files in /var/lib/ipa/ra-agent.{key|pem}. The upgrade code handles the move from /etc/httpd/alias to the files but does not remove the private key from /etc/httpd/alias. The fix calls certutil -F -n ipaCert to remove cert and key, instead of -D -n ipaCert which removes only the cert. Fixes: https://pagure.io/freeipa/issue/7329 Reviewed-By: Fraser Tweedale --- ipapython/certdb.py | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) (limited to 'ipapython') diff --git a/ipapython/certdb.py b/ipapython/certdb.py index c7503c11b..dcab5512e 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -892,6 +892,32 @@ class NSSDatabase: def delete_cert(self, nick): self.run_certutil(["-D", "-n", nick]) + def delete_key_only(self, nick): + """Delete the key with provided nick + + This commands removes the key but leaves the cert in the DB. + """ + keys = self.list_keys() + # keys is a list of tuple(slot, algo, keyid, nickname) + for (_slot, _algo, keyid, nickname) in keys: + if nickname == nick: + # Key is present in the DB, delete the key + self.run_certutil(["-F", "-k", keyid]) + break + + def delete_key_and_cert(self, nick): + """Delete a cert and its key from the DB""" + try: + self.run_certutil(["-F", "-n", nick]) + except ipautil.CalledProcessError: + # Using -F -k instead of -F -n because the latter fails if + # the DB contains only the key + self.delete_key_only(nick) + # Check that cert was deleted + for (certname, _flags) in self.list_certs(): + if certname == nick: + self.delete_cert(nick) + def verify_server_cert_validity(self, nickname, hostname): """Verify a certificate is valid for a SSL server with given hostname -- cgit