From 8d651ef5a00c418138c355aa95259246090705b7 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 21 Jan 2016 08:58:56 +0100 Subject: [PATCH] cert renewal: import all external CA certs on IPA CA cert renewal Import all external CA certs to the Dogtag NSS database on IPA CA cert renewal. This fixes Dogtag not being able to connect to DS which uses 3rd party server cert after ipa-certupdate. https://fedorahosted.org/freeipa/ticket/5595 Reviewed-By: Martin Babinsky --- install/restart_scripts/renew_ca_cert | 28 +++++++++------------------- 1 file changed, 9 insertions(+), 19 deletions(-) diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index 86f5765b7d8bbeafd5379831020a952a7aa6db41..92dc0e6685f61f34bd6df941ef63ac138ad7965b 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -28,7 +28,6 @@ import shutil import traceback from ipapython import dogtag, ipautil -from ipapython.dn import DN from ipalib import api, errors, x509, certstore from ipaserver.install import certs, cainstance, installutils from ipaserver.plugins.ldap2 import ldap2 @@ -158,11 +157,9 @@ def _main(): "Updating CA certificate failed: %s" % e) # Add external CA certificates - ca_issuer = str(x509.get_issuer(cert, x509.DER)) try: - ca_certs = certstore.get_ca_certs( - conn, api.env.basedn, api.env.realm, False, - filter_subject=ca_issuer) + ca_certs = certstore.get_ca_certs_nss( + conn, api.env.basedn, api.env.realm, False) except Exception, e: syslog.syslog( syslog.LOG_ERR, @@ -170,25 +167,18 @@ def _main(): "%s" % e) ca_certs = [] - for ca_cert, ca_nick, ca_trusted, ca_eku in ca_certs: - ca_subject = DN(str(x509.get_subject(ca_cert, x509.DER))) - nick_base = ' - '.join(rdn[-1].value for rdn in ca_subject) - nick = nick_base - i = 1 - while db.has_nickname(nick): - nick = '%s [%s]' % (nick_base, i) - i += 1 - if ca_trusted is False: - flags = 'p,p,p' - else: - flags = 'CT,c,' - + for ca_cert, ca_nick, ca_flags in ca_certs: try: - db.add_cert(ca_cert, nick, flags) + db.add_cert(ca_cert, ca_nick, ca_flags) except ipautil.CalledProcessError, e: syslog.syslog( syslog.LOG_ERR, "Failed to add certificate %s" % ca_nick) + + # Pass Dogtag's self-tests + for ca_nick in db.find_root_cert(nickname)[-2:-1]: + ca_flags = dict(cc[1:] for cc in ca_certs)[ca_nick] + db.trust_root_cert(ca_nick, 'C' + ca_flags) finally: if conn is not None and conn.isconnected(): conn.disconnect() -- 2.5.0