|
|
ac7d03 |
From b98b21aaa709ccd91369e89a836f64c06c4593e8 Mon Sep 17 00:00:00 2001
|
|
|
ac7d03 |
From: Jan Cholasta <jcholast@redhat.com>
|
|
|
ac7d03 |
Date: Thu, 27 Apr 2017 09:33:25 +0200
|
|
|
ac7d03 |
Subject: [PATCH] certdb: add named trust flag constants
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Add named constants for common trust flag combinations.
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Use the named constants instead of trust flags strings in the code.
|
|
|
ac7d03 |
|
|
|
ac7d03 |
https://pagure.io/freeipa/issue/6831
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
ac7d03 |
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
ac7d03 |
---
|
|
|
ac7d03 |
install/restart_scripts/restart_httpd | 3 ++-
|
|
|
ac7d03 |
install/tools/ipa-replica-conncheck | 4 +++-
|
|
|
ac7d03 |
ipaclient/install/client.py | 9 ++++++---
|
|
|
ac7d03 |
ipapython/certdb.py | 9 +++++++--
|
|
|
ac7d03 |
ipaserver/install/ca.py | 2 +-
|
|
|
ac7d03 |
ipaserver/install/certs.py | 5 +++--
|
|
|
ac7d03 |
ipaserver/install/dsinstance.py | 5 +++--
|
|
|
ac7d03 |
ipaserver/install/httpinstance.py | 5 +++--
|
|
|
ac7d03 |
ipaserver/install/ipa_cacert_manage.py | 16 +++++++++++-----
|
|
|
ac7d03 |
ipaserver/install/plugins/upload_cacrt.py | 2 +-
|
|
|
ac7d03 |
ipaserver/install/server/replicainstall.py | 3 ++-
|
|
|
ac7d03 |
ipaserver/install/server/upgrade.py | 4 ++--
|
|
|
ac7d03 |
12 files changed, 44 insertions(+), 23 deletions(-)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
|
|
|
ac7d03 |
index b661b82b896b109c3859ac82c2d84ab27b839f72..cd7f12024ea3cab16e9c664687cd854e666c9570 100644
|
|
|
ac7d03 |
--- a/install/restart_scripts/restart_httpd
|
|
|
ac7d03 |
+++ b/install/restart_scripts/restart_httpd
|
|
|
ac7d03 |
@@ -24,6 +24,7 @@ import traceback
|
|
|
ac7d03 |
from ipalib import api
|
|
|
ac7d03 |
from ipaplatform import services
|
|
|
ac7d03 |
from ipaplatform.paths import paths
|
|
|
ac7d03 |
+from ipapython.certdb import TRUSTED_PEER_TRUST_FLAGS
|
|
|
ac7d03 |
from ipaserver.install import certs, installutils
|
|
|
ac7d03 |
|
|
|
ac7d03 |
|
|
|
ac7d03 |
@@ -36,7 +37,7 @@ def _main():
|
|
|
ac7d03 |
nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
|
|
|
ac7d03 |
|
|
|
ac7d03 |
# Add trust flag which set certificate trusted for SSL connections.
|
|
|
ac7d03 |
- db.trust_root_cert(nickname, "P,,")
|
|
|
ac7d03 |
+ db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
|
|
|
ac7d03 |
|
|
|
ac7d03 |
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
|
|
|
ac7d03 |
index fdbd4f32d9fa4a625cca3614e13e71d00f58e57e..528242268f9992e903781b76a379039d533853c0 100755
|
|
|
ac7d03 |
--- a/install/tools/ipa-replica-conncheck
|
|
|
ac7d03 |
+++ b/install/tools/ipa-replica-conncheck
|
|
|
ac7d03 |
@@ -549,7 +549,9 @@ def main():
|
|
|
ac7d03 |
data = ca_cert.public_bytes(
|
|
|
ac7d03 |
serialization.Encoding.DER)
|
|
|
ac7d03 |
nss_db.add_cert(
|
|
|
ac7d03 |
- data, str(DN(ca_cert.subject)), 'C,,')
|
|
|
ac7d03 |
+ data,
|
|
|
ac7d03 |
+ str(DN(ca_cert.subject)),
|
|
|
ac7d03 |
+ certdb.EXTERNAL_CA_TRUST_FLAGS)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
api.bootstrap(context='client',
|
|
|
ac7d03 |
confdir=paths.ETC_IPA,
|
|
|
ac7d03 |
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
|
|
|
ac7d03 |
index abca692fd61be4a9f35a1398fb2af4b1d9e8689b..e78be904dd6bad491d9f3c1bb1e1410bc1779d45 100644
|
|
|
ac7d03 |
--- a/ipaclient/install/client.py
|
|
|
ac7d03 |
+++ b/ipaclient/install/client.py
|
|
|
ac7d03 |
@@ -2318,8 +2318,9 @@ def update_ipa_nssdb():
|
|
|
ac7d03 |
if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')):
|
|
|
ac7d03 |
create_ipa_nssdb()
|
|
|
ac7d03 |
|
|
|
ac7d03 |
- for nickname, trust_flags in (('IPA CA', 'CT,C,C'),
|
|
|
ac7d03 |
- ('External CA cert', 'C,,')):
|
|
|
ac7d03 |
+ for nickname, trust_flags in (
|
|
|
ac7d03 |
+ ('IPA CA', certdb.IPA_CA_TRUST_FLAGS),
|
|
|
ac7d03 |
+ ('External CA cert', certdb.EXTERNAL_CA_TRUST_FLAGS)):
|
|
|
ac7d03 |
try:
|
|
|
ac7d03 |
cert = sys_db.get_cert(nickname)
|
|
|
ac7d03 |
except RuntimeError:
|
|
|
ac7d03 |
@@ -2680,7 +2681,9 @@ def _install(options):
|
|
|
ac7d03 |
tmp_db.create_db()
|
|
|
ac7d03 |
|
|
|
ac7d03 |
for i, cert in enumerate(ca_certs):
|
|
|
ac7d03 |
- tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,')
|
|
|
ac7d03 |
+ tmp_db.add_cert(cert,
|
|
|
ac7d03 |
+ 'CA certificate %d' % (i + 1),
|
|
|
ac7d03 |
+ certdb.EXTERNAL_CA_TRUST_FLAGS)
|
|
|
ac7d03 |
except CalledProcessError:
|
|
|
ac7d03 |
raise ScriptError(
|
|
|
ac7d03 |
"Failed to add CA to temporary NSS database.",
|
|
|
ac7d03 |
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
|
|
|
ac7d03 |
index ea73ec139df9013b860df447fcffd9038cf7c8f2..44c7bf3197c198295035742e6db48527d76e85a6 100644
|
|
|
ac7d03 |
--- a/ipapython/certdb.py
|
|
|
ac7d03 |
+++ b/ipapython/certdb.py
|
|
|
ac7d03 |
@@ -52,6 +52,11 @@ CA_NICKNAME_FMT = "%s IPA CA"
|
|
|
ac7d03 |
|
|
|
ac7d03 |
NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")
|
|
|
ac7d03 |
|
|
|
ac7d03 |
+EMPTY_TRUST_FLAGS = ',,'
|
|
|
ac7d03 |
+IPA_CA_TRUST_FLAGS = 'CT,C,C'
|
|
|
ac7d03 |
+EXTERNAL_CA_TRUST_FLAGS = 'C,,'
|
|
|
ac7d03 |
+TRUSTED_PEER_TRUST_FLAGS = 'P,,'
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
|
|
|
ac7d03 |
def get_ca_nickname(realm, format=CA_NICKNAME_FMT):
|
|
|
ac7d03 |
return format % realm
|
|
|
ac7d03 |
@@ -441,7 +446,7 @@ class NSSDatabase(object):
|
|
|
ac7d03 |
cert = x509.load_certificate(cert_pem)
|
|
|
ac7d03 |
nickname = str(DN(cert.subject))
|
|
|
ac7d03 |
data = cert.public_bytes(serialization.Encoding.DER)
|
|
|
ac7d03 |
- self.add_cert(data, nickname, ',,')
|
|
|
ac7d03 |
+ self.add_cert(data, nickname, EMPTY_TRUST_FLAGS)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
if extracted_key:
|
|
|
ac7d03 |
in_file = ipautil.write_tmp_file(
|
|
|
ac7d03 |
@@ -473,7 +478,7 @@ class NSSDatabase(object):
|
|
|
ac7d03 |
root_nickname)
|
|
|
ac7d03 |
else:
|
|
|
ac7d03 |
if trust_flags is None:
|
|
|
ac7d03 |
- trust_flags = 'C,,'
|
|
|
ac7d03 |
+ trust_flags = EXTERNAL_CA_TRUST_FLAGS
|
|
|
ac7d03 |
try:
|
|
|
ac7d03 |
self.run_certutil(["-M", "-n", root_nickname,
|
|
|
ac7d03 |
"-t", trust_flags])
|
|
|
ac7d03 |
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
|
|
|
ac7d03 |
index 8ee0fda23411563c70b7db5f39f43c2869c108b5..52cb20f1cb3612394544a6a41f10e9e939bc0657 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/ca.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/ca.py
|
|
|
ac7d03 |
@@ -320,7 +320,7 @@ def install_step_1(standalone, replica_config, options):
|
|
|
ac7d03 |
realm_name, nssdir=dirname, subject_base=subject_base)
|
|
|
ac7d03 |
cacert = cadb.get_cert_from_db('caSigningCert cert-pki-ca', pem=False)
|
|
|
ac7d03 |
nickname = certdb.get_ca_nickname(realm_name)
|
|
|
ac7d03 |
- trust_flags = 'CT,C,C'
|
|
|
ac7d03 |
+ trust_flags = certdb.IPA_CA_TRUST_FLAGS
|
|
|
ac7d03 |
dsdb.add_cert(cacert, nickname, trust_flags)
|
|
|
ac7d03 |
certstore.put_ca_cert_nss(api.Backend.ldap2, api.env.basedn,
|
|
|
ac7d03 |
cacert, nickname, trust_flags,
|
|
|
ac7d03 |
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
|
|
|
ac7d03 |
index 89e57134f24c505d669057eefffb7862b3b8179a..f87e00eb5e9c14ed30d39ef9f6e86b6f24bb1c61 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/certs.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/certs.py
|
|
|
ac7d03 |
@@ -37,6 +37,7 @@ from ipalib.install import certmonger, sysrestore
|
|
|
ac7d03 |
from ipapython.ipa_log_manager import root_logger
|
|
|
ac7d03 |
from ipapython import dogtag
|
|
|
ac7d03 |
from ipapython import ipautil
|
|
|
ac7d03 |
+from ipapython.certdb import EMPTY_TRUST_FLAGS, IPA_CA_TRUST_FLAGS
|
|
|
ac7d03 |
from ipapython.certdb import get_ca_nickname, find_cert_from_txt, NSSDatabase
|
|
|
ac7d03 |
from ipapython.dn import DN
|
|
|
ac7d03 |
from ipalib import pkcs10, x509, api
|
|
|
ac7d03 |
@@ -597,7 +598,7 @@ class CertDB(object):
|
|
|
ac7d03 |
# a new certificate database.
|
|
|
ac7d03 |
self.create_passwd_file()
|
|
|
ac7d03 |
self.create_certdbs()
|
|
|
ac7d03 |
- self.load_cacert(cacert_fname, 'CT,C,C')
|
|
|
ac7d03 |
+ self.load_cacert(cacert_fname, IPA_CA_TRUST_FLAGS)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
def create_from_pkcs12(self, pkcs12_fname, pkcs12_passwd, passwd=None,
|
|
|
ac7d03 |
ca_file=None, trust_flags=None):
|
|
|
ac7d03 |
@@ -643,7 +644,7 @@ class CertDB(object):
|
|
|
ac7d03 |
cert, st = find_cert_from_txt(certs, st)
|
|
|
ac7d03 |
except RuntimeError:
|
|
|
ac7d03 |
break
|
|
|
ac7d03 |
- self.add_cert(cert, 'CA %s' % num, ',,', pem=True)
|
|
|
ac7d03 |
+ self.add_cert(cert, 'CA %s' % num, EMPTY_TRUST_FLAGS, pem=True)
|
|
|
ac7d03 |
num += 1
|
|
|
ac7d03 |
|
|
|
ac7d03 |
# We only handle one server cert
|
|
|
ac7d03 |
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
|
|
|
ac7d03 |
index 403fe8489fdd9e0dbf40dd4df3794b51185d45b9..0db0368fa4b48495718afd779291ce164d1687c8 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/dsinstance.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/dsinstance.py
|
|
|
ac7d03 |
@@ -32,6 +32,7 @@ import fnmatch
|
|
|
ac7d03 |
import ldap
|
|
|
ac7d03 |
|
|
|
ac7d03 |
from ipalib.install import certmonger, certstore
|
|
|
ac7d03 |
+from ipapython.certdb import IPA_CA_TRUST_FLAGS, EXTERNAL_CA_TRUST_FLAGS
|
|
|
ac7d03 |
from ipapython.ipa_log_manager import root_logger
|
|
|
ac7d03 |
from ipapython import ipautil, ipaldap
|
|
|
ac7d03 |
from ipapython import dogtag
|
|
|
ac7d03 |
@@ -766,7 +767,7 @@ class DsInstance(service.Service):
|
|
|
ac7d03 |
)
|
|
|
ac7d03 |
if self.pkcs12_info:
|
|
|
ac7d03 |
if self.ca_is_configured:
|
|
|
ac7d03 |
- trust_flags = 'CT,C,C'
|
|
|
ac7d03 |
+ trust_flags = IPA_CA_TRUST_FLAGS
|
|
|
ac7d03 |
else:
|
|
|
ac7d03 |
trust_flags = None
|
|
|
ac7d03 |
dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
|
|
|
ac7d03 |
@@ -1065,7 +1066,7 @@ class DsInstance(service.Service):
|
|
|
ac7d03 |
certdb.cacert_name = cacert_name
|
|
|
ac7d03 |
status = True
|
|
|
ac7d03 |
try:
|
|
|
ac7d03 |
- certdb.load_cacert(cacert_fname, 'C,,')
|
|
|
ac7d03 |
+ certdb.load_cacert(cacert_fname, EXTERNAL_CA_TRUST_FLAGS)
|
|
|
ac7d03 |
except ipautil.CalledProcessError as e:
|
|
|
ac7d03 |
root_logger.critical("Error importing CA cert file named [%s]: %s" %
|
|
|
ac7d03 |
(cacert_fname, str(e)))
|
|
|
ac7d03 |
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
|
|
|
ac7d03 |
index ab688a85f157b1886842a91bb7d22f9ea99e3615..a6aeb21edc73783ff9a3f9b526409ea525aa66dd 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/httpinstance.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/httpinstance.py
|
|
|
ac7d03 |
@@ -32,6 +32,7 @@ import six
|
|
|
ac7d03 |
from augeas import Augeas
|
|
|
ac7d03 |
|
|
|
ac7d03 |
from ipalib.install import certmonger
|
|
|
ac7d03 |
+from ipapython.certdb import IPA_CA_TRUST_FLAGS, TRUSTED_PEER_TRUST_FLAGS
|
|
|
ac7d03 |
from ipaserver.install import service
|
|
|
ac7d03 |
from ipaserver.install import certs
|
|
|
ac7d03 |
from ipaserver.install import installutils
|
|
|
ac7d03 |
@@ -381,7 +382,7 @@ class HTTPInstance(service.Service):
|
|
|
ac7d03 |
|
|
|
ac7d03 |
if self.pkcs12_info:
|
|
|
ac7d03 |
if self.ca_is_configured:
|
|
|
ac7d03 |
- trust_flags = 'CT,C,C'
|
|
|
ac7d03 |
+ trust_flags = IPA_CA_TRUST_FLAGS
|
|
|
ac7d03 |
else:
|
|
|
ac7d03 |
trust_flags = None
|
|
|
ac7d03 |
db.init_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
|
|
|
ac7d03 |
@@ -403,7 +404,7 @@ class HTTPInstance(service.Service):
|
|
|
ac7d03 |
self.__set_mod_nss_nickname(nickname)
|
|
|
ac7d03 |
self.add_cert_to_service()
|
|
|
ac7d03 |
|
|
|
ac7d03 |
- db.trust_root_cert(nickname, "P,,")
|
|
|
ac7d03 |
+ db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
else:
|
|
|
ac7d03 |
if not self.promote:
|
|
|
ac7d03 |
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
|
|
|
ac7d03 |
index 3b732e4dcbb5c9b4dfbb9e3608bc7d7afd3e10c2..88b40d45e10281d272882d21e06f5d53cf5a701d 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/ipa_cacert_manage.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/ipa_cacert_manage.py
|
|
|
ac7d03 |
@@ -26,6 +26,7 @@ import gssapi
|
|
|
ac7d03 |
|
|
|
ac7d03 |
from ipalib.install import certmonger, certstore
|
|
|
ac7d03 |
from ipapython import admintool, ipautil
|
|
|
ac7d03 |
+from ipapython.certdb import EMPTY_TRUST_FLAGS, EXTERNAL_CA_TRUST_FLAGS
|
|
|
ac7d03 |
from ipapython.dn import DN
|
|
|
ac7d03 |
from ipaplatform.paths import paths
|
|
|
ac7d03 |
from ipalib import api, errors, x509
|
|
|
ac7d03 |
@@ -242,10 +243,10 @@ class CACertManage(admintool.AdminTool):
|
|
|
ac7d03 |
|
|
|
ac7d03 |
with certs.NSSDatabase() as tmpdb:
|
|
|
ac7d03 |
tmpdb.create_db()
|
|
|
ac7d03 |
- tmpdb.add_cert(old_cert_der, 'IPA CA', 'C,,')
|
|
|
ac7d03 |
+ tmpdb.add_cert(old_cert_der, 'IPA CA', EXTERNAL_CA_TRUST_FLAGS)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
try:
|
|
|
ac7d03 |
- tmpdb.add_cert(new_cert_der, 'IPA CA', 'C,,')
|
|
|
ac7d03 |
+ tmpdb.add_cert(new_cert_der, 'IPA CA', EXTERNAL_CA_TRUST_FLAGS)
|
|
|
ac7d03 |
except ipautil.CalledProcessError as e:
|
|
|
ac7d03 |
raise admintool.ScriptError(
|
|
|
ac7d03 |
"Not compatible with the current CA certificate: %s" % e)
|
|
|
ac7d03 |
@@ -253,7 +254,8 @@ class CACertManage(admintool.AdminTool):
|
|
|
ac7d03 |
ca_certs = x509.load_certificate_list_from_file(ca_file.name)
|
|
|
ac7d03 |
for ca_cert in ca_certs:
|
|
|
ac7d03 |
data = ca_cert.public_bytes(serialization.Encoding.DER)
|
|
|
ac7d03 |
- tmpdb.add_cert(data, str(DN(ca_cert.subject)), 'C,,')
|
|
|
ac7d03 |
+ tmpdb.add_cert(
|
|
|
ac7d03 |
+ data, str(DN(ca_cert.subject)), EXTERNAL_CA_TRUST_FLAGS)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
try:
|
|
|
ac7d03 |
tmpdb.verify_ca_cert_validity('IPA CA')
|
|
|
ac7d03 |
@@ -270,7 +272,11 @@ class CACertManage(admintool.AdminTool):
|
|
|
ac7d03 |
except RuntimeError:
|
|
|
ac7d03 |
break
|
|
|
ac7d03 |
certstore.put_ca_cert_nss(
|
|
|
ac7d03 |
- conn, api.env.basedn, ca_cert, nickname, ',,')
|
|
|
ac7d03 |
+ conn,
|
|
|
ac7d03 |
+ api.env.basedn,
|
|
|
ac7d03 |
+ ca_cert,
|
|
|
ac7d03 |
+ nickname,
|
|
|
ac7d03 |
+ EMPTY_TRUST_FLAGS)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
dn = DN(('cn', self.cert_nickname), ('cn', 'ca_renewal'),
|
|
|
ac7d03 |
('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
|
|
|
ac7d03 |
@@ -343,7 +349,7 @@ class CACertManage(admintool.AdminTool):
|
|
|
ac7d03 |
|
|
|
ac7d03 |
with certs.NSSDatabase() as tmpdb:
|
|
|
ac7d03 |
tmpdb.create_db()
|
|
|
ac7d03 |
- tmpdb.add_cert(cert, nickname, 'C,,')
|
|
|
ac7d03 |
+ tmpdb.add_cert(cert, nickname, EXTERNAL_CA_TRUST_FLAGS)
|
|
|
ac7d03 |
for ca_cert, ca_nickname, ca_trust_flags in ca_certs:
|
|
|
ac7d03 |
tmpdb.add_cert(ca_cert, ca_nickname, ca_trust_flags)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py
|
|
|
ac7d03 |
index 425ea63976ec92a6d69492d90a1e970e528c4a26..7d294ff971bd109e5fbb3570bfff0198f24b68d3 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/plugins/upload_cacrt.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/plugins/upload_cacrt.py
|
|
|
ac7d03 |
@@ -55,7 +55,7 @@ class update_upload_cacrt(Updater):
|
|
|
ac7d03 |
if 'u' in trust_flags:
|
|
|
ac7d03 |
continue
|
|
|
ac7d03 |
if nickname == ca_nickname and ca_enabled:
|
|
|
ac7d03 |
- trust_flags = 'CT,C,C'
|
|
|
ac7d03 |
+ trust_flags = certdb.IPA_CA_TRUST_FLAGS
|
|
|
ac7d03 |
cert = db.get_cert_from_db(nickname, pem=False)
|
|
|
ac7d03 |
trust, _ca, eku = certstore.trust_flags_to_key_policy(trust_flags)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
|
|
|
ac7d03 |
index aa8e67f60b8abe591d55a907c409b584c74d4541..5e78e6faf51ded2fe7634f230c66aa15ae84bad4 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/server/replicainstall.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/server/replicainstall.py
|
|
|
ac7d03 |
@@ -23,6 +23,7 @@ import ipaclient.install.ntpconf
|
|
|
ac7d03 |
from ipalib.install import certstore, sysrestore
|
|
|
ac7d03 |
from ipalib.install.kinit import kinit_keytab
|
|
|
ac7d03 |
from ipapython import ipaldap, ipautil
|
|
|
ac7d03 |
+from ipapython.certdb import IPA_CA_TRUST_FLAGS
|
|
|
ac7d03 |
from ipapython.dn import DN
|
|
|
ac7d03 |
from ipapython.ipa_log_manager import root_logger
|
|
|
ac7d03 |
from ipapython.admintool import ScriptError
|
|
|
ac7d03 |
@@ -737,7 +738,7 @@ def install_check(installer):
|
|
|
ac7d03 |
nssdir=tmp_db_dir,
|
|
|
ac7d03 |
subject_base=config.subject_base)
|
|
|
ac7d03 |
if ca_enabled:
|
|
|
ac7d03 |
- trust_flags = 'CT,C,C'
|
|
|
ac7d03 |
+ trust_flags = IPA_CA_TRUST_FLAGS
|
|
|
ac7d03 |
else:
|
|
|
ac7d03 |
trust_flags = None
|
|
|
ac7d03 |
tmp_db.create_from_pkcs12(pkcs12_info[0], pkcs12_info[1],
|
|
|
ac7d03 |
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
|
|
|
ac7d03 |
index 5e5c83731d3d3415deb61271baa7865c62f60336..73a4f1108a56a766cdbbcb93d7050482a8264a75 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/server/upgrade.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/server/upgrade.py
|
|
|
ac7d03 |
@@ -1389,7 +1389,7 @@ def fix_trust_flags():
|
|
|
ac7d03 |
nickname = certdb.get_ca_nickname(api.env.realm)
|
|
|
ac7d03 |
cert = db.get_cert_from_db(nickname)
|
|
|
ac7d03 |
if cert:
|
|
|
ac7d03 |
- db.trust_root_cert(nickname, 'CT,C,C')
|
|
|
ac7d03 |
+ db.trust_root_cert(nickname, certdb.IPA_CA_TRUST_FLAGS)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
sysupgrade.set_upgrade_state('http', 'fix_trust_flags', True)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
@@ -1407,7 +1407,7 @@ def fix_server_cert_trust_flags():
|
|
|
ac7d03 |
sc_nickname = installutils.get_directive(paths.HTTPD_NSS_CONF,
|
|
|
ac7d03 |
"NSSNickname")
|
|
|
ac7d03 |
# Add trust flag which set certificate trusted for SSL connections.
|
|
|
ac7d03 |
- db.trust_root_cert(sc_nickname, "P,,")
|
|
|
ac7d03 |
+ db.trust_root_cert(sc_nickname, certdb.TRUSTED_PEER_TRUST_FLAGS)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
sysupgrade.set_upgrade_state('http', 'fix_serv_cert_trust_flags', True)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
--
|
|
|
ac7d03 |
2.9.4
|
|
|
ac7d03 |
|