179 lines
7.1 KiB
Diff
179 lines
7.1 KiB
Diff
|
From eb81f2cf7e0bde6879952d7256bbdfeb3b5c798b Mon Sep 17 00:00:00 2001
|
||
|
From: Tomas Babej <tbabej@redhat.com>
|
||
|
Date: Tue, 24 Sep 2013 10:54:57 +0200
|
||
|
Subject: [PATCH 2/9] ipa-client-install: Publish CA certificate to systemwide
|
||
|
store
|
||
|
|
||
|
During the installation, copy the CA certificate to the systemwide
|
||
|
store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the
|
||
|
systemwide CA database.
|
||
|
|
||
|
This allows browsers to access IPA WebUI without warning out of the
|
||
|
box.
|
||
|
|
||
|
https://fedorahosted.org/freeipa/ticket/3504
|
||
|
---
|
||
|
ipa-client/ipa-install/ipa-client-install | 13 +++++-
|
||
|
ipapython/platform/fedora19/__init__.py | 67 ++++++++++++++++++++++++++++++-
|
||
|
ipapython/services.py.in | 11 ++++-
|
||
|
3 files changed, 88 insertions(+), 3 deletions(-)
|
||
|
|
||
|
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
|
||
|
index afed54e5ddbf5ed985b637f20ac61d8ab1632364..23cd9a0babcb600134d87224f0c32ad9ca8845b5 100755
|
||
|
--- a/ipa-client/ipa-install/ipa-client-install
|
||
|
+++ b/ipa-client/ipa-install/ipa-client-install
|
||
|
@@ -651,6 +651,9 @@ def uninstall(options, env):
|
||
|
root_logger.warning('Please remove /etc/ipa/default.conf manually, '
|
||
|
'as it can cause subsequent installation to fail.')
|
||
|
|
||
|
+ # Remove the CA cert from the systemwide certificate store
|
||
|
+ ipaservices.remove_ca_cert_from_systemwide_ca_store(CACERT)
|
||
|
+
|
||
|
# Remove the CA cert
|
||
|
try:
|
||
|
os.remove(CACERT)
|
||
|
@@ -2293,12 +2296,20 @@ def install(options, env, fstore, statestore):
|
||
|
return CLIENT_INSTALL_ERROR
|
||
|
root_logger.info("Configured /etc/sssd/sssd.conf")
|
||
|
|
||
|
+ # Add the CA to the platform-dependant systemwide CA store
|
||
|
+ ipaservices.insert_ca_cert_into_systemwide_ca_store(CACERT)
|
||
|
+
|
||
|
# Add the CA to the default NSS database and trust it
|
||
|
try:
|
||
|
- run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT])
|
||
|
+ root_logger.debug("Attempting to add CA directly to the "
|
||
|
+ "default NSS database.")
|
||
|
+ run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb",
|
||
|
+ "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT])
|
||
|
except CalledProcessError, e:
|
||
|
root_logger.info("Failed to add CA to the default NSS database.")
|
||
|
return CLIENT_INSTALL_ERROR
|
||
|
+ else:
|
||
|
+ root_logger.info('Added the CA to the default NSS database.')
|
||
|
|
||
|
host_principal = 'host/%s@%s' % (hostname, cli_realm)
|
||
|
if options.on_master:
|
||
|
diff --git a/ipapython/platform/fedora19/__init__.py b/ipapython/platform/fedora19/__init__.py
|
||
|
index 80356d65f4d07483000d57e16b193a857d0988ca..9b931625bdcd4f1266ecfd0c7fea4c37ac7935aa 100644
|
||
|
--- a/ipapython/platform/fedora19/__init__.py
|
||
|
+++ b/ipapython/platform/fedora19/__init__.py
|
||
|
@@ -17,6 +17,14 @@
|
||
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||
|
#
|
||
|
|
||
|
+import shutil
|
||
|
+import os
|
||
|
+
|
||
|
+from subprocess import CalledProcessError
|
||
|
+
|
||
|
+from ipapython.ipa_log_manager import root_logger
|
||
|
+from ipapython.ipautil import run
|
||
|
+
|
||
|
from ipapython.platform import fedora18, base
|
||
|
|
||
|
# All what we allow exporting directly from this module
|
||
|
@@ -38,10 +46,19 @@
|
||
|
# applicable
|
||
|
# check_selinux_status -- platform-specific way to see if SELinux is enabled
|
||
|
# and restorecon is installed.
|
||
|
+# insert_ca_cert_into_systemwide_ca_store - platform-specific way to insert our
|
||
|
+# CA certificate into the systemwide
|
||
|
+# CA store
|
||
|
+# remove_ca_cert_from_systemwide_ca_store - platform-specific way to remove our
|
||
|
+# CA certificate from the systemwide
|
||
|
+# CA store
|
||
|
+
|
||
|
|
||
|
__all__ = ['authconfig', 'service', 'knownservices',
|
||
|
'backup_and_replace_hostname', 'restore_context', 'check_selinux_status',
|
||
|
- 'restore_network_configuration', 'timedate_services']
|
||
|
+ 'restore_network_configuration', 'timedate_services',
|
||
|
+ 'insert_ca_cert_into_systemwide_ca_store',
|
||
|
+ 'remove_ca_cert_from_systemwide_ca_store']
|
||
|
|
||
|
# Just copy a referential list of timedate services
|
||
|
timedate_services = list(base.timedate_services)
|
||
|
@@ -53,3 +70,51 @@
|
||
|
knownservices = fedora18.knownservices
|
||
|
restore_context = fedora18.restore_context
|
||
|
check_selinux_status = fedora18.check_selinux_status
|
||
|
+
|
||
|
+systemwide_ca_store = '/etc/pki/ca-trust/source/anchors/'
|
||
|
+
|
||
|
+
|
||
|
+def insert_ca_cert_into_systemwide_ca_store(cacert_path):
|
||
|
+ # Add the 'ipa-' prefix to cert name to avoid name collisions
|
||
|
+ cacert_name = os.path.basename(cacert_path)
|
||
|
+ new_cacert_path = os.path.join(systemwide_ca_store, 'ipa-%s' % cacert_name)
|
||
|
+
|
||
|
+ # Add the CA to the systemwide CA trust database
|
||
|
+ try:
|
||
|
+ shutil.copy(cacert_path, new_cacert_path)
|
||
|
+ run(['/usr/bin/update-ca-trust'])
|
||
|
+ except OSError, e:
|
||
|
+ root_logger.info("Failed to copy %s to %s" % (cacert_path,
|
||
|
+ new_cacert_path))
|
||
|
+ except CalledProcessError, e:
|
||
|
+ root_logger.info("Failed to add CA to the systemwide "
|
||
|
+ "CA trust database: %s" % str(e))
|
||
|
+ else:
|
||
|
+ root_logger.info('Added the CA to the systemwide CA trust database.')
|
||
|
+ return True
|
||
|
+
|
||
|
+ return False
|
||
|
+
|
||
|
+
|
||
|
+def remove_ca_cert_from_systemwide_ca_store(cacert_path):
|
||
|
+ # Derive the certificate name in the store
|
||
|
+ cacert_name = os.path.basename(cacert_path)
|
||
|
+ new_cacert_path = os.path.join(systemwide_ca_store, 'ipa-%s' % cacert_name)
|
||
|
+
|
||
|
+ # Remove CA cert from systemwide store
|
||
|
+ if os.path.exists(new_cacert_path):
|
||
|
+ try:
|
||
|
+ os.remove(new_cacert_path)
|
||
|
+ run(['/usr/bin/update-ca-trust'])
|
||
|
+ except OSError, e:
|
||
|
+ root_logger.error('Could not remove: %s, %s'
|
||
|
+ % (new_cacert_path, str(e)))
|
||
|
+ return False
|
||
|
+ except CalledProcessError, e:
|
||
|
+ root_logger.error('Could not update systemwide CA trust '
|
||
|
+ 'database: %s' % str(e))
|
||
|
+ return False
|
||
|
+ else:
|
||
|
+ root_logger.info('Systemwide CA database updated.')
|
||
|
+
|
||
|
+ return True
|
||
|
diff --git a/ipapython/services.py.in b/ipapython/services.py.in
|
||
|
index 16b62ca8508d4078e896cd1da6fd664f52a3930e..d648ad5bf77aa58f2de33f0a02440eae01d6396b 100644
|
||
|
--- a/ipapython/services.py.in
|
||
|
+++ b/ipapython/services.py.in
|
||
|
@@ -21,7 +21,7 @@
|
||
|
authconfig = None
|
||
|
|
||
|
# knownservices is an entry point to known platform services
|
||
|
-# (instance of ipapython.platform.base.KnownServices)
|
||
|
+# (instance of ipapython.platform.base.KnownServices)
|
||
|
knownservices = None
|
||
|
|
||
|
# service is a class to instantiate ipapython.platform.base.PlatformService
|
||
|
@@ -55,4 +55,13 @@ from ipapython.platform.base import SVC_LIST_FILE
|
||
|
def get_svc_list_file():
|
||
|
return SVC_LIST_FILE
|
||
|
|
||
|
+def insert_ca_cert_into_systemwide_ca_store_default(path):
|
||
|
+ return True
|
||
|
+
|
||
|
+def remove_ca_cert_from_systemwide_ca_store_default(path):
|
||
|
+ return True
|
||
|
+
|
||
|
+insert_ca_cert_into_systemwide_ca_store = insert_ca_cert_into_systemwide_ca_store_default
|
||
|
+remove_ca_cert_from_systemwide_ca_store = remove_ca_cert_from_systemwide_ca_store_default
|
||
|
+
|
||
|
from ipapython.platform.SUPPORTED_PLATFORM import *
|
||
|
--
|
||
|
1.8.5.3
|
||
|
|