348 lines
12 KiB
Diff
348 lines
12 KiB
Diff
|
From a0626e09b3eaf5d030982e2ff03e95841ad1b4b9 Mon Sep 17 00:00:00 2001
|
||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||
|
Date: Wed, 3 Feb 2021 15:52:05 -0500
|
||
|
Subject: [PATCH] ipa-cert-fix: Don't hardcode the NSS certificate nickname
|
||
|
|
||
|
The nickname of the 389-ds certificate was hardcoded as
|
||
|
Server-Cert which failed if the user had installed a
|
||
|
third-party certificate using ipa-server-certinstall.
|
||
|
|
||
|
Instead pull the nickname from the DS configuration and
|
||
|
retrieve it based on that.
|
||
|
|
||
|
https://pagure.io/freeipa/issue/8600
|
||
|
|
||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||
|
---
|
||
|
ipaserver/install/ipa_cert_fix.py | 17 +++++++++++------
|
||
|
1 file changed, 11 insertions(+), 6 deletions(-)
|
||
|
|
||
|
diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py
|
||
|
index 2f2c15613..29af89cd5 100644
|
||
|
--- a/ipaserver/install/ipa_cert_fix.py
|
||
|
+++ b/ipaserver/install/ipa_cert_fix.py
|
||
|
@@ -203,9 +203,12 @@ def expired_ipa_certs(now):
|
||
|
certs.append((IPACertType.HTTPS, cert))
|
||
|
|
||
|
# LDAPS
|
||
|
- ds_dbdir = dsinstance.config_dirname(realm_to_serverid(api.env.realm))
|
||
|
+ serverid = realm_to_serverid(api.env.realm)
|
||
|
+ ds = dsinstance.DsInstance(realm_name=api.env.realm)
|
||
|
+ ds_dbdir = dsinstance.config_dirname(serverid)
|
||
|
+ ds_nickname = ds.get_server_cert_nickname(serverid)
|
||
|
db = NSSDatabase(nssdir=ds_dbdir)
|
||
|
- cert = db.get_cert('Server-Cert')
|
||
|
+ cert = db.get_cert(ds_nickname)
|
||
|
if cert.not_valid_after <= now:
|
||
|
certs.append((IPACertType.LDAPS, cert))
|
||
|
|
||
|
@@ -344,11 +347,13 @@ def install_ipa_certs(subject_base, ca_subject_dn, certs):
|
||
|
elif certtype is IPACertType.HTTPS:
|
||
|
shutil.copyfile(cert_path, paths.HTTPD_CERT_FILE)
|
||
|
elif certtype is IPACertType.LDAPS:
|
||
|
- ds_dbdir = dsinstance.config_dirname(
|
||
|
- realm_to_serverid(api.env.realm))
|
||
|
+ serverid = realm_to_serverid(api.env.realm)
|
||
|
+ ds = dsinstance.DsInstance(realm_name=api.env.realm)
|
||
|
+ ds_dbdir = dsinstance.config_dirname(serverid)
|
||
|
db = NSSDatabase(nssdir=ds_dbdir)
|
||
|
- db.delete_cert('Server-Cert')
|
||
|
- db.import_pem_cert('Server-Cert', EMPTY_TRUST_FLAGS, cert_path)
|
||
|
+ ds_nickname = ds.get_server_cert_nickname(serverid)
|
||
|
+ db.delete_cert(ds_nickname)
|
||
|
+ db.import_pem_cert(ds_nickname, EMPTY_TRUST_FLAGS, cert_path)
|
||
|
elif certtype is IPACertType.KDC:
|
||
|
shutil.copyfile(cert_path, paths.KDC_CERT)
|
||
|
|
||
|
--
|
||
|
2.29.2
|
||
|
|
||
|
From 660507fda2394b17d709c47a05ce5df548a47990 Mon Sep 17 00:00:00 2001
|
||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||
|
Date: Thu, 4 Feb 2021 08:25:48 -0500
|
||
|
Subject: [PATCH] ipatests: test third-party 389-ds cert with ipa-cert-fix
|
||
|
|
||
|
ipa-cert-fix was hardcoded to use Server-Cert as the nickname
|
||
|
so would fail if a third-party certificate was installed for DS.
|
||
|
|
||
|
https://pagure.io/freeipa/issue/8600
|
||
|
|
||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||
|
---
|
||
|
.../test_integration/test_ipa_cert_fix.py | 57 +++++++++++++++++++
|
||
|
1 file changed, 57 insertions(+)
|
||
|
|
||
|
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
|
||
|
index 2f7de5526..f9e5fe6e2 100644
|
||
|
--- a/ipatests/test_integration/test_ipa_cert_fix.py
|
||
|
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
|
||
|
@@ -11,6 +11,17 @@ import time
|
||
|
from ipaplatform.paths import paths
|
||
|
from ipatests.pytest_ipa.integration import tasks
|
||
|
from ipatests.test_integration.base import IntegrationTest
|
||
|
+from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
|
||
|
+
|
||
|
+
|
||
|
+def server_install_teardown(func):
|
||
|
+ def wrapped(*args):
|
||
|
+ master = args[0].master
|
||
|
+ try:
|
||
|
+ func(*args)
|
||
|
+ finally:
|
||
|
+ ipa_certs_cleanup(master)
|
||
|
+ return wrapped
|
||
|
|
||
|
|
||
|
class TestIpaCertFix(IntegrationTest):
|
||
|
@@ -94,3 +105,49 @@ class TestIpaCertFix(IntegrationTest):
|
||
|
else:
|
||
|
# timeout
|
||
|
raise AssertionError('Timeout: Failed to renew all the certs')
|
||
|
+
|
||
|
+
|
||
|
+class TestIpaCertFixThirdParty(CALessBase):
|
||
|
+ """
|
||
|
+ Test that ipa-cert-fix works with an installation with custom certs.
|
||
|
+ """
|
||
|
+
|
||
|
+ @classmethod
|
||
|
+ def install(cls, mh):
|
||
|
+ cls.nickname = 'ca1/server'
|
||
|
+
|
||
|
+ super(TestIpaCertFixThirdParty, cls).install(mh)
|
||
|
+ tasks.install_master(cls.master, setup_dns=True)
|
||
|
+
|
||
|
+ @server_install_teardown
|
||
|
+ def test_third_party_certs(self):
|
||
|
+ self.create_pkcs12(self.nickname,
|
||
|
+ password=self.cert_password,
|
||
|
+ filename='server.p12')
|
||
|
+ self.prepare_cacert('ca1')
|
||
|
+
|
||
|
+ # We have a chain length of one. If this is extended then the
|
||
|
+ # additional cert names will need to be calculated.
|
||
|
+ nick_chain = self.nickname.split('/')
|
||
|
+ ca_cert = '%s.crt' % nick_chain[0]
|
||
|
+
|
||
|
+ # Add the CA to the IPA store
|
||
|
+ self.copy_cert(self.master, ca_cert)
|
||
|
+ self.master.run_command(['ipa-cacert-manage', 'install', ca_cert])
|
||
|
+
|
||
|
+ # Apply the new cert chain otherwise ipa-server-certinstall will fail
|
||
|
+ self.master.run_command(['ipa-certupdate'])
|
||
|
+
|
||
|
+ # Install the updated certs and restart the world
|
||
|
+ self.copy_cert(self.master, 'server.p12')
|
||
|
+ args = ['ipa-server-certinstall',
|
||
|
+ '-p', self.master.config.dirman_password,
|
||
|
+ '--pin', self.master.config.admin_password,
|
||
|
+ '-d', 'server.p12']
|
||
|
+ self.master.run_command(args)
|
||
|
+ self.master.run_command(['ipactl', 'restart',])
|
||
|
+
|
||
|
+ # Run ipa-cert-fix. This is basically a no-op but tests that
|
||
|
+ # the DS nickname is used and not a hardcoded value.
|
||
|
+ result = self.master.run_command(['ipa-cert-fix', '-v'],)
|
||
|
+ assert self.nickname in result.stderr_text
|
||
|
--
|
||
|
2.29.2
|
||
|
|
||
|
From 4cb6f0ba0df928eea60b20892a6fc85373627946 Mon Sep 17 00:00:00 2001
|
||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||
|
Date: Fri, 5 Feb 2021 09:00:54 -0500
|
||
|
Subject: [PATCH] Set pki-core dependency to 10.3.3 for pki-server cert-fix bug
|
||
|
|
||
|
Related: https://github.com/dogtagpki/pki/issues/3387
|
||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||
|
---
|
||
|
freeipa.spec.in | 4 ++--
|
||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||
|
|
||
|
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||
|
index 93e473ac4..0e261285b 100755
|
||
|
--- a/freeipa.spec.in
|
||
|
+++ b/freeipa.spec.in
|
||
|
@@ -128,11 +128,11 @@
|
||
|
%if 0%{?rhel} == 8
|
||
|
# PKIConnection has been modified to always validate certs.
|
||
|
# https://pagure.io/freeipa/issue/8379
|
||
|
-%global pki_version 10.9.0-0.4
|
||
|
+%global pki_version 10.10.4-1
|
||
|
%else
|
||
|
# New KRA profile, ACME support
|
||
|
# https://pagure.io/freeipa/issue/8545
|
||
|
-%global pki_version 10.10.0-2
|
||
|
+%global pki_version 10.10.3-1
|
||
|
%endif
|
||
|
|
||
|
# RHEL 8.3+, F32+ has 0.79.13
|
||
|
--
|
||
|
2.29.2
|
||
|
|
||
|
From f3463728f2196589d36e14cedccb26c03730a7c0 Mon Sep 17 00:00:00 2001
|
||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||
|
Date: Wed, 10 Feb 2021 16:07:13 -0500
|
||
|
Subject: [PATCH] Don't renew non-IPA issued certs in ipa-cert-fix
|
||
|
|
||
|
If the Apache, 389-ds or KDC certificate was issued by
|
||
|
a third party there is nothing we can do, regardless of
|
||
|
whether it is expired or not.
|
||
|
|
||
|
Report which certificates will not be renewed so the
|
||
|
admin can manually do do (likely in the event of a
|
||
|
third-party certificate).
|
||
|
|
||
|
https://pagure.io/freeipa/issue/8600
|
||
|
|
||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||
|
---
|
||
|
ipaserver/install/ipa_cert_fix.py | 53 +++++++++++++++++++++++++------
|
||
|
1 file changed, 43 insertions(+), 10 deletions(-)
|
||
|
|
||
|
diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py
|
||
|
index 29af89cd5..210cf80f1 100644
|
||
|
--- a/ipaserver/install/ipa_cert_fix.py
|
||
|
+++ b/ipaserver/install/ipa_cert_fix.py
|
||
|
@@ -43,6 +43,7 @@ from ipapython.certdb import NSSDatabase, EMPTY_TRUST_FLAGS
|
||
|
from ipapython.dn import DN
|
||
|
from ipapython.ipaldap import realm_to_serverid
|
||
|
from ipaserver.install import ca, cainstance, dsinstance
|
||
|
+from ipaserver.install.certs import is_ipa_issued_cert
|
||
|
from ipapython import directivesetter
|
||
|
from ipapython import ipautil
|
||
|
|
||
|
@@ -104,6 +105,13 @@ class IPACertFix(AdminTool):
|
||
|
|
||
|
api.bootstrap(in_server=True, confdir=paths.ETC_IPA)
|
||
|
api.finalize()
|
||
|
+
|
||
|
+ if not dsinstance.is_ds_running(realm_to_serverid(api.env.realm)):
|
||
|
+ print(
|
||
|
+ "The LDAP server is not running; cannot proceed."
|
||
|
+ )
|
||
|
+ return 1
|
||
|
+
|
||
|
api.Backend.ldap2.connect() # ensure DS is up
|
||
|
|
||
|
subject_base = dsinstance.DsInstance().find_subject_base()
|
||
|
@@ -113,7 +121,7 @@ class IPACertFix(AdminTool):
|
||
|
ca_subject_dn = ca.lookup_ca_subject(api, subject_base)
|
||
|
|
||
|
now = datetime.datetime.now() + datetime.timedelta(weeks=2)
|
||
|
- certs, extra_certs = expired_certs(now)
|
||
|
+ certs, extra_certs, non_renewed = expired_certs(now)
|
||
|
|
||
|
if not certs and not extra_certs:
|
||
|
print("Nothing to do.")
|
||
|
@@ -121,7 +129,7 @@ class IPACertFix(AdminTool):
|
||
|
|
||
|
print(msg)
|
||
|
|
||
|
- print_intentions(certs, extra_certs)
|
||
|
+ print_intentions(certs, extra_certs, non_renewed)
|
||
|
|
||
|
response = ipautil.user_input('Enter "yes" to proceed')
|
||
|
if response.lower() != 'yes':
|
||
|
@@ -133,7 +141,10 @@ class IPACertFix(AdminTool):
|
||
|
fix_certreq_directives(certs)
|
||
|
run_cert_fix(certs, extra_certs)
|
||
|
except ipautil.CalledProcessError:
|
||
|
- if any(x[0] is IPACertType.LDAPS for x in extra_certs):
|
||
|
+ if any(
|
||
|
+ x[0] is IPACertType.LDAPS
|
||
|
+ for x in extra_certs + non_renewed
|
||
|
+ ):
|
||
|
# The DS cert was expired. This will cause
|
||
|
# 'pki-server cert-fix' to fail at the final
|
||
|
# restart. Therefore ignore the CalledProcessError
|
||
|
@@ -152,13 +163,15 @@ class IPACertFix(AdminTool):
|
||
|
print("Becoming renewal master.")
|
||
|
cainstance.CAInstance().set_renewal_master()
|
||
|
|
||
|
+ print("Restarting IPA")
|
||
|
ipautil.run(['ipactl', 'restart'], raiseonerr=True)
|
||
|
|
||
|
return 0
|
||
|
|
||
|
|
||
|
def expired_certs(now):
|
||
|
- return expired_dogtag_certs(now), expired_ipa_certs(now)
|
||
|
+ expired_ipa, non_renew_ipa = expired_ipa_certs(now)
|
||
|
+ return expired_dogtag_certs(now), expired_ipa, non_renew_ipa
|
||
|
|
||
|
|
||
|
def expired_dogtag_certs(now):
|
||
|
@@ -191,6 +204,7 @@ def expired_ipa_certs(now):
|
||
|
|
||
|
"""
|
||
|
certs = []
|
||
|
+ non_renewed = []
|
||
|
|
||
|
# IPA RA
|
||
|
cert = x509.load_certificate_from_file(paths.RA_AGENT_PEM)
|
||
|
@@ -200,7 +214,10 @@ def expired_ipa_certs(now):
|
||
|
# Apache HTTPD
|
||
|
cert = x509.load_certificate_from_file(paths.HTTPD_CERT_FILE)
|
||
|
if cert.not_valid_after <= now:
|
||
|
- certs.append((IPACertType.HTTPS, cert))
|
||
|
+ if not is_ipa_issued_cert(api, cert):
|
||
|
+ non_renewed.append((IPACertType.HTTPS, cert))
|
||
|
+ else:
|
||
|
+ certs.append((IPACertType.HTTPS, cert))
|
||
|
|
||
|
# LDAPS
|
||
|
serverid = realm_to_serverid(api.env.realm)
|
||
|
@@ -210,18 +227,24 @@ def expired_ipa_certs(now):
|
||
|
db = NSSDatabase(nssdir=ds_dbdir)
|
||
|
cert = db.get_cert(ds_nickname)
|
||
|
if cert.not_valid_after <= now:
|
||
|
- certs.append((IPACertType.LDAPS, cert))
|
||
|
+ if not is_ipa_issued_cert(api, cert):
|
||
|
+ non_renewed.append((IPACertType.LDAPS, cert))
|
||
|
+ else:
|
||
|
+ certs.append((IPACertType.LDAPS, cert))
|
||
|
|
||
|
# KDC
|
||
|
cert = x509.load_certificate_from_file(paths.KDC_CERT)
|
||
|
if cert.not_valid_after <= now:
|
||
|
- certs.append((IPACertType.KDC, cert))
|
||
|
+ if not is_ipa_issued_cert(api, cert):
|
||
|
+ non_renewed.append((IPACertType.HTTPS, cert))
|
||
|
+ else:
|
||
|
+ certs.append((IPACertType.KDC, cert))
|
||
|
|
||
|
- return certs
|
||
|
+ return certs, non_renewed
|
||
|
|
||
|
|
||
|
-def print_intentions(dogtag_certs, ipa_certs):
|
||
|
- print("The following certificates will be renewed: ")
|
||
|
+def print_intentions(dogtag_certs, ipa_certs, non_renewed):
|
||
|
+ print("The following certificates will be renewed:")
|
||
|
print()
|
||
|
|
||
|
for certid, cert in dogtag_certs:
|
||
|
@@ -230,6 +253,16 @@ def print_intentions(dogtag_certs, ipa_certs):
|
||
|
for certtype, cert in ipa_certs:
|
||
|
print_cert_info("IPA", certtype.value, cert)
|
||
|
|
||
|
+ if non_renewed:
|
||
|
+ print(
|
||
|
+ "The following certificates will NOT be renewed because "
|
||
|
+ "they were not issued by the IPA CA:"
|
||
|
+ )
|
||
|
+ print()
|
||
|
+
|
||
|
+ for certtype, cert in non_renewed:
|
||
|
+ print_cert_info("IPA", certtype.value, cert)
|
||
|
+
|
||
|
|
||
|
def print_cert_info(context, desc, cert):
|
||
|
print("{} {} certificate:".format(context, desc))
|
||
|
--
|
||
|
2.29.2
|
||
|
|