diff --git a/SOURCES/0066-Convert-external-CA-chain-to-PKCS-7-before-passing-i.patch b/SOURCES/0066-Convert-external-CA-chain-to-PKCS-7-before-passing-i.patch new file mode 100644 index 0000000..09ecea3 --- /dev/null +++ b/SOURCES/0066-Convert-external-CA-chain-to-PKCS-7-before-passing-i.patch @@ -0,0 +1,86 @@ +From 15c68b5ab6441a443f0a135da2b553ee1f9cbcf9 Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Fri, 8 Aug 2014 10:15:26 +0200 +Subject: [PATCH] Convert external CA chain to PKCS#7 before passing it to + pkispawn. + +https://fedorahosted.org/freeipa/ticket/4397 +--- + install/tools/ipa-server-install | 6 +++--- + install/tools/man/ipa-server-install.1 | 10 +++++++--- + ipaserver/install/cainstance.py | 13 ++++++++++++- + 3 files changed, 22 insertions(+), 7 deletions(-) + +diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install +index dfbbb91bf3bb8461333193b5a3e72c3ec06d4582..feea616b089261bf46392d5514e6e3cc9e12fcac 100755 +--- a/install/tools/ipa-server-install ++++ b/install/tools/ipa-server-install +@@ -174,11 +174,11 @@ def parse_options(): + + cert_group = OptionGroup(parser, "certificate system options") + cert_group.add_option("", "--external-ca", dest="external_ca", action="store_true", +- default=False, help="Generate a CSR to be signed by an external CA") ++ default=False, help="Generate a CSR for the IPA CA certificate to be signed by an external CA") + cert_group.add_option("", "--external_cert_file", dest="external_cert_file", +- help="PEM file containing a certificate signed by the external CA") ++ help="File containing the IPA CA certificate signed by the external CA in PEM format") + cert_group.add_option("", "--external_ca_file", dest="external_ca_file", +- help="PEM file containing the external CA chain") ++ help="File containing the external CA certificate chain in PEM format") + cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false", + default=True, help="disables pkinit setup steps") + cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12", +diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 +index 4adf1d037517bb211bd4c5e5e915380777e8f337..d713d2db4cb863dff77e451b22c5a9b1fbbfeecd 100644 +--- a/install/tools/man/ipa-server-install.1 ++++ b/install/tools/man/ipa-server-install.1 +@@ -85,13 +85,17 @@ An unattended installation that will never prompt for user input + .SS "CERTIFICATE SYSTEM OPTIONS" + .TP + \fB\-\-external\-ca\fR +-Generate a CSR to be signed by an external CA ++Generate a CSR for the IPA CA certificate to be signed by an external CA. + .TP + \fB\-\-external_cert_file\fR=\fIFILE\fR +-PEM file containing a certificate signed by the external CA. Must be given with \-\-external_ca_file. ++File containing the IPA CA certificate signed by the external CA in PEM format. Must be given with \-\-external_ca_file. + .TP + \fB\-\-external_ca_file\fR=\fIFILE\fR +-PEM file containing the external CA chain ++File containing the external CA certificate chain in PEM format. Must be given with \-\-external_cert_file. ++ ++If the CA certificate chain is in PKCS#7 format you can convert it to PEM using: ++ ++ openssl pkcs7 -in PKCS7_FILE -print_certs -out PEM_FILE + .TP + \fB\-\-no\-pkinit\fR + Disables pkinit setup steps +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index 126bbae66e8a9ae8d9cc6e624745ab1cc37bf4c1..233fa5d95fb7068b22a1c3daaed89176ff14a380 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -578,9 +578,20 @@ def __spawn_instance(self): + config.set("CA", "pki_external_csr_path", self.csr_file) + + elif self.external == 2: ++ cert_chain, stderr, rc = ipautil.run( ++ ['/usr/bin/openssl', 'crl2pkcs7', ++ '-certfile', self.cert_chain_file, ++ '-nocrl']) ++ # Dogtag chokes on the header and footer, remove them ++ # https://bugzilla.redhat.com/show_bug.cgi?id=1127838 ++ cert_chain = re.search( ++ r'(?<=-----BEGIN PKCS7-----).*?(?=-----END PKCS7-----)', ++ cert_chain, re.DOTALL).group(0) ++ cert_chain_file = ipautil.write_tmp_file(cert_chain) ++ + config.set("CA", "pki_external", "True") + config.set("CA", "pki_external_ca_cert_path", self.cert_file) +- config.set("CA", "pki_external_ca_cert_chain_path", self.cert_chain_file) ++ config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name) + config.set("CA", "pki_external_step_two", "True") + + # Generate configuration file +-- +1.9.3 + diff --git a/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch b/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch index 53301a0..c650b25 100644 --- a/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch +++ b/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch @@ -1,7 +1,7 @@ -From 7b9f8b3ba5c2768879906227e4f526b2675337ea Mon Sep 17 00:00:00 2001 +From ebaad372cdeb941af1a390f81c8a4d90ea128f9f Mon Sep 17 00:00:00 2001 From: Martin Kosek -Date: Wed, 22 May 2013 09:38:50 +0200 -Subject: [PATCH 1001/1006] Hide pkinit functionality from production version +Date: Thu, 14 Aug 2014 13:34:13 +0200 +Subject: [PATCH] Hide pkinit functionality from production version Rebased from original patch from Jan Zeleny and Rob Crittenden. @@ -13,10 +13,10 @@ https://fedorahosted.org/freeipa/ticket/616 3 files changed, 10 insertions(+), 16 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install -index 79f8a7ab48f75ac2d9cd5149df6eda4784b3854a..36bf492946d5e4873827d7d3149be659447065aa 100755 +index 4418b41784313121e73b560ee84715ddeba8bc54..ff4cd70147abb2dc6e0486155fb179d4fb1b29e9 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install -@@ -96,8 +96,6 @@ def parse_options(): +@@ -95,8 +95,6 @@ def parse_options(): parser.add_option_group(basic_group) cert_group = OptionGroup(parser, "certificate system options") @@ -25,7 +25,7 @@ index 79f8a7ab48f75ac2d9cd5149df6eda4784b3854a..36bf492946d5e4873827d7d3149be659 cert_group.add_option("--skip-schema-check", dest="skip_schema_check", action="store_true", default=False, help="skip check for updated CA DS schema on the remote master") parser.add_option_group(cert_group) -@@ -122,6 +120,9 @@ def parse_options(): +@@ -121,6 +119,9 @@ def parse_options(): options, args = parser.parse_args() safe_options = parser.get_safe_opts(options) @@ -36,13 +36,13 @@ index 79f8a7ab48f75ac2d9cd5149df6eda4784b3854a..36bf492946d5e4873827d7d3149be659 parser.error("you must provide a file generated by ipa-replica-prepare") diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install -index fafa14ea18195546b160c175d7fd656a066327b5..00aed1953f58c7f7c6a3c9bae8dcab8b8a669b62 100755 +index feea616b089261bf46392d5514e6e3cc9e12fcac..5bd22bf18f2b00e26d674b6cbbf81989b4a030cb 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install -@@ -173,20 +173,14 @@ def parse_options(): - help="PEM file containing a certificate signed by the external CA") +@@ -179,20 +179,14 @@ def parse_options(): + help="File containing the IPA CA certificate signed by the external CA in PEM format") cert_group.add_option("", "--external_ca_file", dest="external_ca_file", - help="PEM file containing the external CA chain") + help="File containing the external CA certificate chain in PEM format") - cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false", - default=True, help="disables pkinit setup steps") cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12", @@ -60,7 +60,7 @@ index fafa14ea18195546b160c175d7fd656a066327b5..00aed1953f58c7f7c6a3c9bae8dcab8b cert_group.add_option("--root-ca-file", dest="root_ca_file", help="PEM file with root CA certificate(s) to trust") cert_group.add_option("--subject", action="callback", callback=subject_callback, -@@ -236,6 +230,10 @@ def parse_options(): +@@ -229,6 +223,10 @@ def parse_options(): options, args = parser.parse_args() safe_options = parser.get_safe_opts(options) @@ -72,10 +72,10 @@ index fafa14ea18195546b160c175d7fd656a066327b5..00aed1953f58c7f7c6a3c9bae8dcab8b try: validate_dm_password(options.dm_password) diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py -index 83bf2b28c370c77c5e901dfd0627ea7140b4cf0a..606c3e607682d3dca8d31ed25cce006b17683f51 100644 +index 36d078a6b73562cb0047154f4bb7666ab25687b8..a3b89a8a739c6082aa7117cea470e2a9d8dba7f9 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py -@@ -57,9 +57,6 @@ def add_options(cls, parser): +@@ -56,9 +56,6 @@ def add_options(cls, parser): parser.add_option("--no-reverse", dest="no_reverse", action="store_true", default=False, help="do not create reverse DNS zone") @@ -85,7 +85,7 @@ index 83bf2b28c370c77c5e901dfd0627ea7140b4cf0a..606c3e607682d3dca8d31ed25cce006b parser.add_option("--ca", dest="ca_file", default="/root/cacert.p12", metavar="FILE", help="location of CA PKCS#12 file, default /root/cacert.p12") -@@ -72,15 +69,10 @@ def add_options(cls, parser): +@@ -71,15 +68,10 @@ def add_options(cls, parser): group.add_option("--http_pkcs12", dest="http_pkcs12", metavar="FILE", help="install certificate for the http server") @@ -101,7 +101,7 @@ index 83bf2b28c370c77c5e901dfd0627ea7140b4cf0a..606c3e607682d3dca8d31ed25cce006b parser.add_option_group(group) def validate_options(self): -@@ -100,7 +92,10 @@ def validate_options(self): +@@ -99,7 +91,10 @@ def validate_options(self): "option together with --no-reverse") #Automatically disable pkinit w/ dogtag until that is supported @@ -113,5 +113,5 @@ index 83bf2b28c370c77c5e901dfd0627ea7140b4cf0a..606c3e607682d3dca8d31ed25cce006b # If any of the PKCS#12 options are selected, all are required. pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12) -- -1.8.3.1 +1.9.3 diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch deleted file mode 100644 index 33b4609..0000000 --- a/SOURCES/ipa-centos-branding.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -uNrp freeipa-3.3.3.orig/ipaserver/install/ntpinstance.py freeipa-3.3.3/ipaserver/install/ntpinstance.py ---- freeipa-3.3.3.orig/ipaserver/install/ntpinstance.py 2013-11-01 10:34:30.000000000 -0500 -+++ freeipa-3.3.3/ipaserver/install/ntpinstance.py 2014-06-26 07:27:19.644718099 -0500 -@@ -43,6 +43,8 @@ class NTPInstance(service.Service): - os = "" - if ipautil.file_exists("/etc/fedora-release"): - os = "fedora" -+ elif ipautil.file_exists("/etc/centos-release"): -+ os = "centos" - elif ipautil.file_exists("/etc/redhat-release"): - os = "rhel" - diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index a98a578..ae37d92 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -18,7 +18,7 @@ Name: ipa Version: 3.3.3 -Release: 28%{?dist} +Release: 28%{?dist}.1 Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -93,6 +93,7 @@ Patch0062: 0062-Prohibit-deletion-of-active-subdomain-range.patch Patch0063: 0063-extdom-do-not-return-results-from-the-wrong-domain.patch Patch0064: 0064-Proxy-PKI-clone-ca-ee-ca-profileSubmit-URI.patch Patch0065: 0065-Make-ipa-client-automount-backwards-compatible.patch +Patch0066: 0066-Convert-external-CA-chain-to-PKCS-7-before-passing-i.patch Patch1001: 1001-Hide-pkinit-functionality-from-production-version.patch Patch1002: 1002-Remove-pkinit-plugin.patch @@ -102,8 +103,6 @@ Patch1005: 1005-Remove-pylint-from-build-process.patch Patch1006: 1006-Remove-i18test-from-build-process.patch Patch1007: 1007-Remove-ipa-backup-and-ipa-restore-functionality.patch -Patch9999: ipa-centos-branding.patch - %if ! %{ONLY_CLIENT} BuildRequires: 389-ds-base-devel >= 1.3.1 BuildRequires: svrcore-devel @@ -150,6 +149,7 @@ BuildRequires: check BuildRequires: libsss_idmap-devel BuildRequires: libsss_nss_idmap-devel BuildRequires: java-1.7.0-openjdk +BuildRequires: rhino BuildRequires: libverto-devel BuildRequires: systemd BuildRequires: libunistring-devel @@ -208,6 +208,9 @@ Requires: selinux-policy >= 3.12.1-65 Requires(post): selinux-policy-base Requires: slapi-nis >= 0.47.7 Requires: pki-ca >= 10.0.4 +%if 0%{?rhel} +Requires: subscription-manager +%endif Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: python-dns @@ -843,8 +846,10 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %changelog -* Thu Jun 26 2014 Johnny Hughes - 3.3.3-28.el7.centos -- Roll in CentOS Branding +* Thu Aug 14 2014 Martin Kosek - 3.3.3-28.1 +- Server installation fails using external signed certificates with + "IndexError: list index out of range" (#1130031) +- Add rhino to BuildRequires to fix Web UI build error * Tue Apr 1 2014 Martin Kosek - 3.3.3-28 - ipa-client-automount fails with incompatibility error when installed against