|
 |
aa60fb |
From 8ee71c8aab262ba0041ee9ac84fb862a5fda32cf Mon Sep 17 00:00:00 2001
|
|
|
aa60fb |
From: Jan Cholasta <jcholast@redhat.com>
|
|
|
aa60fb |
Date: Thu, 21 Jan 2016 15:48:30 +0100
|
|
|
aa60fb |
Subject: [PATCH] replica install: validate DS and HTTP server certificates
|
|
|
aa60fb |
|
|
|
aa60fb |
Validate the DS and HTTP certificates from the replica info file early in
|
|
|
aa60fb |
ipa-replica-install to prevent crashes later.
|
|
|
aa60fb |
|
|
|
aa60fb |
https://fedorahosted.org/freeipa/ticket/5598
|
|
|
aa60fb |
|
|
|
aa60fb |
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
aa60fb |
---
|
|
|
aa60fb |
ipaserver/install/server/replicainstall.py | 31 +++++++++++++++++++++++++++++-
|
|
|
aa60fb |
1 file changed, 30 insertions(+), 1 deletion(-)
|
|
|
aa60fb |
|
|
|
aa60fb |
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
|
|
|
aa60fb |
index a5d4a77f3daa8110ad0be064085b12b20da853cf..317eda92dd4322542f035c2df4dba919a5898cc7 100644
|
|
|
aa60fb |
--- a/ipaserver/install/server/replicainstall.py
|
|
|
aa60fb |
+++ b/ipaserver/install/server/replicainstall.py
|
|
|
aa60fb |
@@ -356,6 +356,8 @@ def install_check(installer):
|
|
|
aa60fb |
config.setup_ca = options.setup_ca
|
|
|
aa60fb |
config.setup_kra = options.setup_kra
|
|
|
aa60fb |
|
|
|
aa60fb |
+ ca_enabled = ipautil.file_exists(config.dir + "/cacert.p12")
|
|
|
aa60fb |
+
|
|
|
aa60fb |
# Create the management framework config file
|
|
|
aa60fb |
# Note: We must do this before bootstraping and finalizing ipalib.api
|
|
|
aa60fb |
old_umask = os.umask(022) # must be readable for httpd
|
|
|
aa60fb |
@@ -371,7 +373,7 @@ def install_check(installer):
|
|
|
aa60fb |
ipautil.format_netloc(config.host_name))
|
|
|
aa60fb |
fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" %
|
|
|
aa60fb |
installutils.realm_to_serverid(config.realm_name))
|
|
|
aa60fb |
- if ipautil.file_exists(config.dir + "/cacert.p12"):
|
|
|
aa60fb |
+ if ca_enabled:
|
|
|
aa60fb |
fd.write("enable_ra=True\n")
|
|
|
aa60fb |
fd.write("ra_plugin=dogtag\n")
|
|
|
aa60fb |
fd.write("dogtag_version=%s\n" %
|
|
|
aa60fb |
@@ -395,6 +397,33 @@ def install_check(installer):
|
|
|
aa60fb |
raise RuntimeError("CA cert file is not available. Please run "
|
|
|
aa60fb |
"ipa-replica-prepare to create a new replica file.")
|
|
|
aa60fb |
|
|
|
aa60fb |
+ for pkcs12_name, pin_name in (('dscert.p12', 'dirsrv_pin.txt'),
|
|
|
aa60fb |
+ ('httpcert.p12', 'http_pin.txt')):
|
|
|
aa60fb |
+ pkcs12_info = make_pkcs12_info(config.dir, pkcs12_name, pin_name)
|
|
|
aa60fb |
+ tmp_db_dir = tempfile.mkdtemp('ipa')
|
|
|
aa60fb |
+ try:
|
|
|
aa60fb |
+ tmp_db = certs.CertDB(config.realm_name,
|
|
|
aa60fb |
+ nssdir=tmp_db_dir,
|
|
|
aa60fb |
+ subject_base=config.subject_base)
|
|
|
aa60fb |
+ if ca_enabled:
|
|
|
aa60fb |
+ trust_flags = 'CT,C,C'
|
|
|
aa60fb |
+ else:
|
|
|
aa60fb |
+ trust_flags = None
|
|
|
aa60fb |
+ tmp_db.create_from_pkcs12(pkcs12_info[0], pkcs12_info[1],
|
|
|
aa60fb |
+ ca_file=cafile,
|
|
|
aa60fb |
+ trust_flags=trust_flags)
|
|
|
aa60fb |
+ if not tmp_db.find_server_certs():
|
|
|
aa60fb |
+ raise RuntimeError(
|
|
|
aa60fb |
+ "Could not find a suitable server cert in import in %s" %
|
|
|
aa60fb |
+ pkcs12_info[0])
|
|
|
aa60fb |
+ except Exception as e:
|
|
|
aa60fb |
+ root_logger.error('%s', e)
|
|
|
aa60fb |
+ raise RuntimeError(
|
|
|
aa60fb |
+ "Server cert is not valid. Please run ipa-replica-prepare to "
|
|
|
aa60fb |
+ "create a new replica file.")
|
|
|
aa60fb |
+ finally:
|
|
|
aa60fb |
+ shutil.rmtree(tmp_db_dir)
|
|
|
aa60fb |
+
|
|
|
aa60fb |
ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name)
|
|
|
aa60fb |
remote_api = create_api(mode=None)
|
|
|
aa60fb |
remote_api.bootstrap(in_server=True, context='installer',
|
|
|
aa60fb |
--
|
|
|
aa60fb |
2.5.0
|
|
|
aa60fb |
|