119 lines
4.4 KiB
Diff
119 lines
4.4 KiB
Diff
|
From 9ded9e2573a00c388533f2a09365c499a4e2961e Mon Sep 17 00:00:00 2001
|
||
|
From: Alexander Scheel <ascheel@redhat.com>
|
||
|
Date: Fri, 19 Jun 2020 08:48:56 -0400
|
||
|
Subject: [PATCH] Specify cert_paths when calling PKIConnection
|
||
|
|
||
|
PKIConnection now defaults to specifying verify=True. We've introduced
|
||
|
a new parameter, cert_paths, to specify additional paths (directories or
|
||
|
files) to load as certificates. Specify the IPA CA certificate file so
|
||
|
we can guarantee connections succeed and validate the peer's certificate.
|
||
|
|
||
|
Point to IPA CA certificate during pkispawn
|
||
|
|
||
|
Bump pki_version to 10.9.0-0.4 (aka -b2)
|
||
|
|
||
|
Fixes: https://pagure.io/freeipa/issue/8379
|
||
|
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849155
|
||
|
Related: https://github.com/dogtagpki/pki/pull/443
|
||
|
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1426572
|
||
|
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||
|
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
||
|
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||
|
---
|
||
|
freeipa.spec.in | 6 +++---
|
||
|
install/tools/ipa-pki-wait-running.in | 3 ++-
|
||
|
ipaserver/install/cainstance.py | 7 +++++++
|
||
|
ipaserver/install/dogtaginstance.py | 3 ++-
|
||
|
ipaserver/plugins/dogtag.py | 11 +++++------
|
||
|
5 files changed, 19 insertions(+), 11 deletions(-)
|
||
|
|
||
|
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||
|
index 74e752ea5..d00b9d640 100755
|
||
|
--- a/freeipa.spec.in
|
||
|
+++ b/freeipa.spec.in
|
||
|
@@ -112,9 +112,9 @@
|
||
|
# Fedora
|
||
|
%endif
|
||
|
|
||
|
-# 10.7.3 supports LWCA key replication using AES
|
||
|
-# https://pagure.io/freeipa/issue/8020
|
||
|
-%global pki_version 10.7.3-1
|
||
|
+# PKIConnection has been modified to always validate certs.
|
||
|
+# https://pagure.io/freeipa/issue/8379
|
||
|
+%global pki_version 10.9.0-0.4
|
||
|
|
||
|
# https://pagure.io/certmonger/issue/90
|
||
|
%global certmonger_version 0.79.7-1
|
||
|
diff --git a/install/tools/ipa-pki-wait-running.in b/install/tools/ipa-pki-wait-running.in
|
||
|
index 69f5ec296..4f0f2f34a 100644
|
||
|
--- a/install/tools/ipa-pki-wait-running.in
|
||
|
+++ b/install/tools/ipa-pki-wait-running.in
|
||
|
@@ -59,7 +59,8 @@ def get_conn(hostname, subsystem):
|
||
|
"""
|
||
|
conn = PKIConnection(
|
||
|
hostname=hostname,
|
||
|
- subsystem=subsystem
|
||
|
+ subsystem=subsystem,
|
||
|
+ cert_paths=paths.IPA_CA_CRT
|
||
|
)
|
||
|
logger.info(
|
||
|
"Created connection %s://%s:%s/%s",
|
||
|
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
||
|
index 706bc28cc..9294f1dba 100644
|
||
|
--- a/ipaserver/install/cainstance.py
|
||
|
+++ b/ipaserver/install/cainstance.py
|
||
|
@@ -509,6 +509,13 @@ class CAInstance(DogtagInstance):
|
||
|
else:
|
||
|
pki_pin = None
|
||
|
|
||
|
+ # When spawning a CA instance, always point to IPA_CA_CRT if it
|
||
|
+ # exists. Later, when we're performing step 2 of an external CA
|
||
|
+ # installation, we'll overwrite this key to point to the real
|
||
|
+ # external CA.
|
||
|
+ if os.path.exists(paths.IPA_CA_CRT):
|
||
|
+ cfg['pki_cert_chain_path'] = paths.IPA_CA_CRT
|
||
|
+
|
||
|
if self.clone:
|
||
|
if self.no_db_setup:
|
||
|
cfg.update(
|
||
|
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
|
||
|
index 361d80a8c..7e295665c 100644
|
||
|
--- a/ipaserver/install/dogtaginstance.py
|
||
|
+++ b/ipaserver/install/dogtaginstance.py
|
||
|
@@ -70,7 +70,8 @@ def get_security_domain():
|
||
|
connection = PKIConnection(
|
||
|
protocol='https',
|
||
|
hostname=api.env.ca_host,
|
||
|
- port='8443'
|
||
|
+ port='8443',
|
||
|
+ cert_paths=paths.IPA_CA_CRT
|
||
|
)
|
||
|
domain_client = pki.system.SecurityDomainClient(connection)
|
||
|
info = domain_client.get_security_domain_info()
|
||
|
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
|
||
|
index 4de26d76f..b300f6b18 100644
|
||
|
--- a/ipaserver/plugins/dogtag.py
|
||
|
+++ b/ipaserver/plugins/dogtag.py
|
||
|
@@ -2082,13 +2082,12 @@ class kra(Backend):
|
||
|
'https',
|
||
|
self.kra_host,
|
||
|
str(self.kra_port),
|
||
|
- 'kra')
|
||
|
+ 'kra',
|
||
|
+ cert_paths=paths.IPA_CA_CRT
|
||
|
+ )
|
||
|
|
||
|
- connection.session.cert = (paths.RA_AGENT_PEM, paths.RA_AGENT_KEY)
|
||
|
- # uncomment the following when this commit makes it to release
|
||
|
- # https://git.fedorahosted.org/cgit/pki.git/commit/?id=71ae20c
|
||
|
- # connection.set_authentication_cert(paths.RA_AGENT_PEM,
|
||
|
- # paths.RA_AGENT_KEY)
|
||
|
+ connection.set_authentication_cert(paths.RA_AGENT_PEM,
|
||
|
+ paths.RA_AGENT_KEY)
|
||
|
|
||
|
try:
|
||
|
yield KRAClient(connection, crypto)
|
||
|
--
|
||
|
2.26.2
|
||
|
|