|
 |
ac7d03 |
From f57c0fbd46d0cca82b45c2f16fab316aa2554a08 Mon Sep 17 00:00:00 2001
|
|
|
ac7d03 |
From: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
ac7d03 |
Date: Fri, 24 Mar 2017 09:52:18 +0100
|
|
|
ac7d03 |
Subject: [PATCH] Get correct CA cert nickname in CA-less
|
|
|
ac7d03 |
|
|
|
ac7d03 |
During CA-less installation, we initialize the HTTPD alias
|
|
|
ac7d03 |
database from a pkcs12 file. This means there's going to
|
|
|
ac7d03 |
be different nicknames to the added certificates. Store
|
|
|
ac7d03 |
the CA certificate nickname in HTTPInstance__setup_ssl()
|
|
|
ac7d03 |
to be able to correctly export it later.
|
|
|
ac7d03 |
|
|
|
ac7d03 |
https://pagure.io/freeipa/issue/6806
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
ac7d03 |
---
|
|
|
ac7d03 |
ipaserver/install/httpinstance.py | 7 ++++++-
|
|
|
ac7d03 |
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
|
|
|
ac7d03 |
index 01b55e7a7b00d020b7745c419267ad4f0ba86804..3e4252cb1e907618d4aa15f7381caff5e4e868e3 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/httpinstance.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/httpinstance.py
|
|
|
ac7d03 |
@@ -118,6 +118,7 @@ class WebGuiInstance(service.SimpleServiceInstance):
|
|
|
ac7d03 |
def __init__(self):
|
|
|
ac7d03 |
service.SimpleServiceInstance.__init__(self, "ipa_webgui")
|
|
|
ac7d03 |
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
class HTTPInstance(service.Service):
|
|
|
ac7d03 |
def __init__(self, fstore=None, cert_nickname='Server-Cert',
|
|
|
ac7d03 |
api=api):
|
|
|
ac7d03 |
@@ -130,6 +131,7 @@ class HTTPInstance(service.Service):
|
|
|
ac7d03 |
service_user=HTTPD_USER,
|
|
|
ac7d03 |
keytab=paths.HTTP_KEYTAB)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
+ self.cacert_nickname = None
|
|
|
ac7d03 |
self.cert_nickname = cert_nickname
|
|
|
ac7d03 |
self.ca_is_configured = True
|
|
|
ac7d03 |
self.keytab_user = constants.GSSPROXY_USER
|
|
|
ac7d03 |
@@ -441,6 +443,9 @@ class HTTPInstance(service.Service):
|
|
|
ac7d03 |
if not server_certs:
|
|
|
ac7d03 |
raise RuntimeError("Could not find a suitable server cert.")
|
|
|
ac7d03 |
|
|
|
ac7d03 |
+ # store the CA cert nickname so that we can publish it later on
|
|
|
ac7d03 |
+ self.cacert_nickname = db.cacert_name
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
def __import_ca_certs(self):
|
|
|
ac7d03 |
db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR,
|
|
|
ac7d03 |
subject_base=self.subject_base)
|
|
|
ac7d03 |
@@ -449,7 +454,7 @@ class HTTPInstance(service.Service):
|
|
|
ac7d03 |
def __publish_ca_cert(self):
|
|
|
ac7d03 |
ca_db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR,
|
|
|
ac7d03 |
subject_base=self.subject_base)
|
|
|
ac7d03 |
- ca_db.publish_ca_cert(paths.CA_CRT)
|
|
|
ac7d03 |
+ ca_db.export_pem_cert(self.cacert_nickname, paths.CA_CRT)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
def is_kdcproxy_configured(self):
|
|
|
ac7d03 |
"""Check if KDC proxy has already been configured in the past"""
|
|
|
ac7d03 |
--
|
|
|
ac7d03 |
2.12.2
|
|
|
ac7d03 |
|