|
 |
aa60fb |
From 8d651ef5a00c418138c355aa95259246090705b7 Mon Sep 17 00:00:00 2001
|
|
|
aa60fb |
From: Jan Cholasta <jcholast@redhat.com>
|
|
|
aa60fb |
Date: Thu, 21 Jan 2016 08:58:56 +0100
|
|
|
aa60fb |
Subject: [PATCH] cert renewal: import all external CA certs on IPA CA cert
|
|
|
aa60fb |
renewal
|
|
|
aa60fb |
|
|
|
aa60fb |
Import all external CA certs to the Dogtag NSS database on IPA CA cert
|
|
|
aa60fb |
renewal. This fixes Dogtag not being able to connect to DS which uses 3rd
|
|
|
aa60fb |
party server cert after ipa-certupdate.
|
|
|
aa60fb |
|
|
|
aa60fb |
https://fedorahosted.org/freeipa/ticket/5595
|
|
|
aa60fb |
|
|
|
aa60fb |
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
aa60fb |
---
|
|
|
aa60fb |
install/restart_scripts/renew_ca_cert | 28 +++++++++-------------------
|
|
|
aa60fb |
1 file changed, 9 insertions(+), 19 deletions(-)
|
|
|
aa60fb |
|
|
|
aa60fb |
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
|
|
|
aa60fb |
index 86f5765b7d8bbeafd5379831020a952a7aa6db41..92dc0e6685f61f34bd6df941ef63ac138ad7965b 100644
|
|
|
aa60fb |
--- a/install/restart_scripts/renew_ca_cert
|
|
|
aa60fb |
+++ b/install/restart_scripts/renew_ca_cert
|
|
|
aa60fb |
@@ -28,7 +28,6 @@ import shutil
|
|
|
aa60fb |
import traceback
|
|
|
aa60fb |
|
|
|
aa60fb |
from ipapython import dogtag, ipautil
|
|
|
aa60fb |
-from ipapython.dn import DN
|
|
|
aa60fb |
from ipalib import api, errors, x509, certstore
|
|
|
aa60fb |
from ipaserver.install import certs, cainstance, installutils
|
|
|
aa60fb |
from ipaserver.plugins.ldap2 import ldap2
|
|
|
aa60fb |
@@ -158,11 +157,9 @@ def _main():
|
|
|
aa60fb |
"Updating CA certificate failed: %s" % e)
|
|
|
aa60fb |
|
|
|
aa60fb |
# Add external CA certificates
|
|
|
aa60fb |
- ca_issuer = str(x509.get_issuer(cert, x509.DER))
|
|
|
aa60fb |
try:
|
|
|
aa60fb |
- ca_certs = certstore.get_ca_certs(
|
|
|
aa60fb |
- conn, api.env.basedn, api.env.realm, False,
|
|
|
aa60fb |
- filter_subject=ca_issuer)
|
|
|
aa60fb |
+ ca_certs = certstore.get_ca_certs_nss(
|
|
|
aa60fb |
+ conn, api.env.basedn, api.env.realm, False)
|
|
|
aa60fb |
except Exception, e:
|
|
|
aa60fb |
syslog.syslog(
|
|
|
aa60fb |
syslog.LOG_ERR,
|
|
|
aa60fb |
@@ -170,25 +167,18 @@ def _main():
|
|
|
aa60fb |
"%s" % e)
|
|
|
aa60fb |
ca_certs = []
|
|
|
aa60fb |
|
|
|
aa60fb |
- for ca_cert, ca_nick, ca_trusted, ca_eku in ca_certs:
|
|
|
aa60fb |
- ca_subject = DN(str(x509.get_subject(ca_cert, x509.DER)))
|
|
|
aa60fb |
- nick_base = ' - '.join(rdn[-1].value for rdn in ca_subject)
|
|
|
aa60fb |
- nick = nick_base
|
|
|
aa60fb |
- i = 1
|
|
|
aa60fb |
- while db.has_nickname(nick):
|
|
|
aa60fb |
- nick = '%s [%s]' % (nick_base, i)
|
|
|
aa60fb |
- i += 1
|
|
|
aa60fb |
- if ca_trusted is False:
|
|
|
aa60fb |
- flags = 'p,p,p'
|
|
|
aa60fb |
- else:
|
|
|
aa60fb |
- flags = 'CT,c,'
|
|
|
aa60fb |
-
|
|
|
aa60fb |
+ for ca_cert, ca_nick, ca_flags in ca_certs:
|
|
|
aa60fb |
try:
|
|
|
aa60fb |
- db.add_cert(ca_cert, nick, flags)
|
|
|
aa60fb |
+ db.add_cert(ca_cert, ca_nick, ca_flags)
|
|
|
aa60fb |
except ipautil.CalledProcessError, e:
|
|
|
aa60fb |
syslog.syslog(
|
|
|
aa60fb |
syslog.LOG_ERR,
|
|
|
aa60fb |
"Failed to add certificate %s" % ca_nick)
|
|
|
aa60fb |
+
|
|
|
aa60fb |
+ # Pass Dogtag's self-tests
|
|
|
aa60fb |
+ for ca_nick in db.find_root_cert(nickname)[-2:-1]:
|
|
|
aa60fb |
+ ca_flags = dict(cc[1:] for cc in ca_certs)[ca_nick]
|
|
|
aa60fb |
+ db.trust_root_cert(ca_nick, 'C' + ca_flags)
|
|
|
aa60fb |
finally:
|
|
|
aa60fb |
if conn is not None and conn.isconnected():
|
|
|
aa60fb |
conn.disconnect()
|
|
|
aa60fb |
--
|
|
|
aa60fb |
2.5.0
|
|
|
aa60fb |
|