diff --git a/SOURCES/0025-CA-less-installation-non-ASCII-chars-in-CA-subject.patch b/SOURCES/0025-CA-less-installation-non-ASCII-chars-in-CA-subject.patch new file mode 100644 index 0000000..bdff388 --- /dev/null +++ b/SOURCES/0025-CA-less-installation-non-ASCII-chars-in-CA-subject.patch @@ -0,0 +1,39 @@ +From 5f1100e83146e898dca431d6cdaf62ab986e599d Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Wed, 9 Jun 2021 17:39:56 +0200 +Subject: [PATCH] CA less installation: non ASCII chars in CA subject + +In CA-less installation, ipa-server-install fails when the CA +certificate contains a subject with non ASCII characters. + +ipa-server-install is internally calling ipautil.run(...) +to launch a certutil -n nickname command, and the nickname is +provided as a unicode instead of a string. + +The fix makes sure the nickname is provided as a utf-8 +encoded string. + +Fixes: https://pagure.io/freeipa/issue/8879 + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +--- + ipalib/install/certstore.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ipalib/install/certstore.py b/ipalib/install/certstore.py +index 8b182958c26e066eaeca859f451073c83e82bd67..4d406c0ce34cb1bdd39dcbac70eae4f6b0895cb5 100644 +--- a/ipalib/install/certstore.py ++++ b/ipalib/install/certstore.py +@@ -294,7 +294,7 @@ def get_ca_certs(ldap, base_dn, compat_realm, compat_ipa_ca, + 'cACertificate;binary']) + + for entry in result: +- nickname = entry.single_value['cn'] ++ nickname = entry.single_value['cn'].encode('utf-8') + trusted = entry.single_value.get('ipaKeyTrust', 'unknown').lower() + if trusted == 'trusted': + trusted = True +-- +2.26.3 + diff --git a/SOURCES/0026-ipatests-use-non-ascii-chars-in-CA-less-install.patch b/SOURCES/0026-ipatests-use-non-ascii-chars-in-CA-less-install.patch new file mode 100644 index 0000000..be79963 --- /dev/null +++ b/SOURCES/0026-ipatests-use-non-ascii-chars-in-CA-less-install.patch @@ -0,0 +1,37 @@ +From 50c77ddd79c1f469d40ebba3d337e4f88bdabb2f Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Wed, 9 Jun 2021 17:51:15 +0200 +Subject: [PATCH] ipatests: use non-ascii chars in CA-less install +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The CA-less installation creates an external CA with the +subject CN=CA,O=Example Organization. +In order to test non-ascii subjects, use +CN=CA,O=Example Organization EspaƱa +instead. + +Related: https://pagure.io/freeipa/issue/8879 +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +--- + ipatests/pytest_ipa/integration/create_caless_pki.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ipatests/pytest_ipa/integration/create_caless_pki.py b/ipatests/pytest_ipa/integration/create_caless_pki.py +index 9a2e8e26b63729517f329bee736a315f9e8f0744..9279fdee9139e6a6050efa07cfa4fe1747afe4db 100644 +--- a/ipatests/pytest_ipa/integration/create_caless_pki.py ++++ b/ipatests/pytest_ipa/integration/create_caless_pki.py +@@ -550,7 +550,7 @@ def create_pki(): + x509.NameAttribute(NameOID.COMMON_NAME, server2) + ]) + ) +- ca1 = gen_subtree(u'ca1', u'Example Organization') ++ ca1 = gen_subtree(u'ca1', u'Example Organization Espa\xf1a') + gen_subtree(u'subca', u'Subsidiary Example Organization', ca1) + gen_subtree(u'ca2', u'Other Example Organization') + ca3 = gen_subtree(u'ca3', u'Unknown Organization') +-- +2.26.3 + diff --git a/SOURCES/0027-Allow-PKINIT-to-be-enabled-when-updating-from-a-pre-.patch b/SOURCES/0027-Allow-PKINIT-to-be-enabled-when-updating-from-a-pre-.patch new file mode 100644 index 0000000..c8a76d1 --- /dev/null +++ b/SOURCES/0027-Allow-PKINIT-to-be-enabled-when-updating-from-a-pre-.patch @@ -0,0 +1,36 @@ +From 12124fcb8c908d208d8863c00cf19a511bd54d1c Mon Sep 17 00:00:00 2001 +From: Antonio Torres +Date: Fri, 11 Jun 2021 14:00:08 +0200 +Subject: [PATCH] Allow PKINIT to be enabled when updating from a pre-PKINIT + IPA CA server + +When upgrading from a server with IPA CA before PKINIT was introduced +(4.5), PKINIT would not be enabled and there wasn't any way to enable it +since upgrade code only issues self-signed certificates when +certificates are missing. With these change there is a way to enable +PKINIT when coming from a IPA server with a pre-PKINIT version (4.4 and +before). + +Fixes: https://pagure.io/freeipa/issue/8532 +Signed-off-by: Antonio Torres +Reviewed-By: Alexander Bokovoy +--- + ipaserver/install/ipa_pkinit_manage.py | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/ipaserver/install/ipa_pkinit_manage.py b/ipaserver/install/ipa_pkinit_manage.py +index 86bd1baf00178a629864b210ca9f4786668149df..bf5875d4f3f35465e6a9ff708d19c25bc3f95063 100644 +--- a/ipaserver/install/ipa_pkinit_manage.py ++++ b/ipaserver/install/ipa_pkinit_manage.py +@@ -78,6 +78,8 @@ class PKINITManage(AdminTool): + krb.enable_ssl() + + if setup_pkinit: ++ if not is_pkinit_enabled(): ++ krb.setup_pkinit() + krb.pkinit_enable() + else: + krb.pkinit_disable() +-- +2.26.3 + diff --git a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch index 0cb4f84..38faab6 100644 --- a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch +++ b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch @@ -1,4 +1,4 @@ -From cab573c5e2fb5631c9fd77a41ff77103ea51f9b3 Mon Sep 17 00:00:00 2001 +From a93c2ff982b27166206eab66f1b7d6c13eff63ed Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 14 Mar 2017 15:48:07 +0000 Subject: [PATCH] Change branding to IPA and Identity Management diff --git a/SOURCES/1002-Package-copy-schema-to-ca.py.patch b/SOURCES/1002-Package-copy-schema-to-ca.py.patch index 6cc1d21..a53c925 100644 --- a/SOURCES/1002-Package-copy-schema-to-ca.py.patch +++ b/SOURCES/1002-Package-copy-schema-to-ca.py.patch @@ -1,4 +1,4 @@ -From 514a42e4ea723e6630ac24ff3ea68a442137ab52 Mon Sep 17 00:00:00 2001 +From e83c5db6277d24159c869da9463ab2737396cddc Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 14 Mar 2017 16:07:15 +0000 Subject: [PATCH] Package copy-schema-to-ca.py diff --git a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch index 8cea203..41c4053 100644 --- a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch +++ b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch @@ -1,4 +1,4 @@ -From 90ffaffce2db5467ac6fd773db53373adfff69b4 Mon Sep 17 00:00:00 2001 +From 98045b1cf0c3d18c958c67a585c8745cf0948675 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 22 Jun 2016 13:53:46 +0200 Subject: [PATCH] Revert "Increased mod_wsgi socket-timeout" diff --git a/SOURCES/1004-Remove-csrgen.patch b/SOURCES/1004-Remove-csrgen.patch index 27f9930..0964281 100644 --- a/SOURCES/1004-Remove-csrgen.patch +++ b/SOURCES/1004-Remove-csrgen.patch @@ -1,4 +1,4 @@ -From e4ef3eb243d8e4fe26dee86529f90f8aaa8ab00f Mon Sep 17 00:00:00 2001 +From e4d43beea85e161ac426a5bff8fe10118a72a9a4 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 16 Mar 2017 09:44:21 +0000 Subject: [PATCH] Remove csrgen diff --git a/SOURCES/1005-Removing-filesystem-encoding-check.patch b/SOURCES/1005-Removing-filesystem-encoding-check.patch index 6da2669..e6a31b2 100644 --- a/SOURCES/1005-Removing-filesystem-encoding-check.patch +++ b/SOURCES/1005-Removing-filesystem-encoding-check.patch @@ -1,4 +1,4 @@ -From 17675289caa161c6574d1afbc813bd91efe71064 Mon Sep 17 00:00:00 2001 +From 47575ded74d9bd4b0691b0e356453629e8d00e49 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= Date: Fri, 10 Aug 2018 13:16:38 +0200 Subject: [PATCH] Removing filesystem encoding check diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index d1150d8..d550e00 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -103,7 +103,7 @@ Name: ipa Version: %{IPA_VERSION} -Release: 5%{?dist}.6 +Release: 5%{?dist}.7 Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -111,9 +111,9 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz # RHEL spec file only: START: Change branding to IPA and Identity Management -#Source1: header-logo.png -#Source2: login-screen-background.jpg -#Source4: product-name.png +Source1: header-logo.png +Source2: login-screen-background.jpg +Source4: product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -142,6 +142,9 @@ Patch0021: 0021-ipa-kdb-add-missing-prototypes.patch Patch0022: 0022-ipa-kdb-reformat-ipa_kdb_certauth.patch Patch0023: 0023-ipa-kdb-mark-test-functions-as-static.patch Patch0024: 0024-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP.patch +Patch0025: 0025-CA-less-installation-non-ASCII-chars-in-CA-subject.patch +Patch0026: 0026-ipatests-use-non-ascii-chars-in-CA-less-install.patch +Patch0027: 0027-Allow-PKINIT-to-be-enabled-when-updating-from-a-pre-.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Package-copy-schema-to-ca.py.patch Patch1003: 1003-Revert-Increased-mod_wsgi-socket-timeout.patch @@ -402,10 +405,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 - -%if 0%{?centos} == 0 Requires: system-logos >= 70.7.0 -%endif Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server @@ -962,9 +962,9 @@ cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3 # with_python3 # RHEL spec file only: START: Change branding to IPA and Identity Management -#cp %SOURCE1 install/ui/images/header-logo.png -#cp %SOURCE2 install/ui/images/login-screen-background.jpg -#cp %SOURCE4 install/ui/images/product-name.png +cp %SOURCE1 install/ui/images/header-logo.png +cp %SOURCE2 install/ui/images/login-screen-background.jpg +cp %SOURCE4 install/ui/images/product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management @@ -988,8 +988,7 @@ find \ %configure --with-vendor-suffix=-%{release} \ %{enable_server_option} \ %{with_ipatests_option} \ - %{linter_options} \ - --with-ipaplatform=rhel + %{linter_options} %make_build @@ -1010,8 +1009,7 @@ find \ %configure --with-vendor-suffix=-%{release} \ %{enable_server_option} \ %{with_ipatests_option} \ - %{linter_options} \ - --with-ipaplatform=rhel + %{linter_options} popd %endif # with_python3 @@ -1098,11 +1096,9 @@ ln -s %{_bindir}/ipa-test-task-%{python2_version} %{buildroot}%{_bindir}/ipa-tes # remove files which are useful only for make uninstall find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \; -%if 0%{?centos} == 0 # RHEL spec file only: START: Replace login-screen-logo.png with a symlink ln -sf %{_datadir}/pixmaps/fedora-gdm-logo.png %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-logo.png # RHEL spec file only: END: Replace login-screen-logo.png with a symlink -%endif %find_lang %{gettext_domain} @@ -1759,8 +1755,12 @@ fi %changelog -* Tue Jun 08 2021 CentOS Sources - 4.6.8-5.el7.centos.6 -- Roll in CentOS Branding +* Tue Jun 22 2021 Florence Blanc-Renaud - 4.6.8-5.el7_9.7 +- Resolves: #1956550 - IPA server installation fails when cert contains non-ASCII character + - CA less installation: non ASCII chars in CA subject + - ipatests: use non-ascii chars in CA-less install +- Resolves: #1974328 - Revise PKINIT upgrade code + - Allow PKINIT to be enabled when updating from a pre-PKINIT IPA CA server * Tue May 11 2021 Florence Blanc-Renaud - 4.6.8-5.el7_9.6 - Resolves: #1959349 - Need to bump pki + ds version