client: stop using /etc/pki/nssdb

Don't put any IPA certificates to /etc/pki/nssdb - IPA itself uses /etc/ipa/nssdb and IPA CA certificates are provided to the system using p11-kit. Remove leftovers on upgrade. https://fedorahosted.org/freeipa/ticket/5592 Reviewed-By: David Kupka <dkupka@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-02-22 15:05:35 +01:00
parent 775ee77bcc
commit 11592dde1b
8 changed files with 36 additions and 89 deletions
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -559,29 +559,12 @@ def uninstall(options, env):
            root_logger.error("%s failed to stop tracking certificate: %s",
                              cmonger.service_name, e)

-    # Remove our host cert and CA cert
-    try:
-        ipa_certs = ipa_db.list_certs()
-    except CalledProcessError as e:
-        root_logger.error(
-            "Failed to list certificates in %s: %s", ipa_db.secdir, e)
-        ipa_certs = []
-
    for filename in (os.path.join(ipa_db.secdir, 'cert8.db'),
                     os.path.join(ipa_db.secdir, 'key3.db'),
                     os.path.join(ipa_db.secdir, 'secmod.db'),
                     os.path.join(ipa_db.secdir, 'pwdfile.txt')):
        remove_file(filename)

-    for nickname, trust_flags in ipa_certs:
-        while sys_db.has_nickname(nickname):
-            try:
-                sys_db.delete_cert(nickname)
-            except Exception as e:
-                root_logger.error("Failed to remove %s from %s: %s",
-                                  nickname, sys_db.secdir, e)
-                break
-
    # Remove any special principal names we added to the IPA CA helper
    certmonger.remove_principal_from_cas()

@@ -2899,19 +2882,6 @@ def install(options, env, fstore, statestore):
    # Add the CA certificates to the platform-dependant systemwide CA store
    tasks.insert_ca_certs_into_systemwide_ca_store(ca_certs)

-    # Add the CA certificates to the default NSS database
-    root_logger.debug(
-        "Attempting to add CA certificates to the default NSS database.")
-    sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
-    for cert, nickname, trust_flags in ca_certs_trust:
-        try:
-            sys_db.add_cert(cert, nickname, trust_flags)
-        except CalledProcessError as e:
-            root_logger.error(
-                "Failed to add %s to the default NSS database.", nickname)
-            return CLIENT_INSTALL_ERROR
-    root_logger.info("Added CA certificates to the default NSS database.")
-
    if not options.on_master:
        client_dns(cli_server[0], hostname, options)
        configure_certmonger(fstore, subject_base, cli_realm, hostname,
--- a/client/man/ipa-client-install.1
+++ b/client/man/ipa-client-install.1
@@ -266,8 +266,6 @@ Files updated, existing content is maintained:

 /etc/nsswitch.conf
 .br
-/etc/pki/nssdb
-.br
 /etc/krb5.keytab
 .br
 /etc/sysconfig/network
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -937,15 +937,8 @@ if [ $1 -gt 1 ] ; then
        fi
    fi

-    if [ ! -f '/etc/ipa/nssdb/cert8.db' -a $restore -ge 2 ]; then
-        python2 -c 'from ipapython.certdb import create_ipa_nssdb; create_ipa_nssdb()' >/dev/null 2>&1
-        tempfile=$(mktemp)
-        if certutil -L -d /etc/pki/nssdb -n 'IPA CA' -a >"$tempfile" 2>/var/log/ipaupgrade.log; then
-            certutil -A -d /etc/ipa/nssdb -n 'IPA CA' -t CT,C,C -a -i "$tempfile" >/var/log/ipaupgrade.log 2>&1
-        elif certutil -L -d /etc/pki/nssdb -n 'External CA cert' -a >"$tempfile" 2>/var/log/ipaupgrade.log; then
-            certutil -A -d /etc/ipa/nssdb -n 'External CA cert' -t C,, -a -i "$tempfile" >/var/log/ipaupgrade.log 2>&1
-        fi
-        rm -f "$tempfile"
+    if [ $restore -ge 2 ]; then
+        python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1
    fi
 fi

--- a/ipaclient/ipa_certupdate.py
+++ b/ipaclient/ipa_certupdate.py
@@ -95,17 +95,6 @@ class CertUpdate(admintool.AdminTool):
        self.update_file(paths.IPA_CA_CRT, certs)

        ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
-        sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
-
-        # Remove IPA certs from /etc/pki/nssdb
-        for nickname, trust_flags in ipa_db.list_certs():
-            while sys_db.has_nickname(nickname):
-                try:
-                    sys_db.delete_cert(nickname)
-                except ipautil.CalledProcessError as e:
-                    self.log.error("Failed to remove %s from %s: %s",
-                                   nickname, sys_db.secdir, e)
-                    break

        # Remove old IPA certs from /etc/ipa/nssdb
        for nickname in ('IPA CA', 'External CA cert'):
@@ -118,7 +107,6 @@ class CertUpdate(admintool.AdminTool):
                    break

        self.update_db(ipa_db.secdir, certs)
-        self.update_db(sys_db.secdir, certs)

        tasks.remove_ca_certs_from_systemwide_ca_store()
        tasks.insert_ca_certs_into_systemwide_ca_store(certs)
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -56,6 +56,35 @@ def create_ipa_nssdb():
    os.chmod(os.path.join(db.secdir, 'secmod.db'), 0o644)


+def update_ipa_nssdb():
+    ipa_db = NSSDatabase(paths.IPA_NSSDB_DIR)
+    sys_db = NSSDatabase(paths.NSS_DB_DIR)
+
+    if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')):
+        create_ipa_nssdb()
+
+    for nickname, trust_flags in (('IPA CA', 'CT,C,C'),
+                                  ('External CA cert', 'C,,')):
+        try:
+            cert = sys_db.get_cert(nickname)
+        except RuntimeError:
+            continue
+        try:
+            ipa_db.add_cert(cert, nickname, trust_flags)
+        except ipautil.CalledProcessError as e:
+            raise RuntimeError("Failed to add %s to %s: %s" %
+                               (nickname, ipa_db.secdir, e))
+
+    # Remove IPA certs from /etc/pki/nssdb
+    for nickname, trust_flags in ipa_db.list_certs():
+        while sys_db.has_nickname(nickname):
+            try:
+                sys_db.delete_cert(nickname)
+            except ipautil.CalledProcessError as e:
+                raise RuntimeError("Failed to remove %s from %s: %s" %
+                                   (nickname, sys_db.secdir, e))
+
+
 def find_cert_from_txt(cert, start=0):
    """
    Given a cert blob (str) which may or may not contian leading and
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -173,8 +173,7 @@ class Backup(admintool.AdminTool):
        paths.IPA_DNSKEYSYNCD_KEYTAB,
        paths.HOSTS,
    ) + tuple(
-        os.path.join(base, file)
-        for base in (paths.NSS_DB_DIR, paths.IPA_NSSDB_DIR)
+        os.path.join(paths.IPA_NSSDB_DIR, file)
        for file in ('cert8.db', 'key3.db', 'secmod.db')
    )

--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -831,23 +831,10 @@ class Restore(admintool.AdminTool):
        tasks.remove_ca_certs_from_systemwide_ca_store()

    def cert_restore(self):
-        if not os.path.exists(os.path.join(paths.IPA_NSSDB_DIR, 'cert8.db')):
-            certdb.create_ipa_nssdb()
-            ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
-            sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
-            for nickname, trust_flags in (('IPA CA', 'CT,C,C'),
-                                          ('External CA cert', 'C,,')):
-                try:
-                    cert = sys_db.get_cert(nickname)
-                except RuntimeError:
-                    pass
-                else:
-                    try:
-                        ipa_db.add_cert(cert, nickname, trust_flags)
-                    except ipautil.CalledProcessError as e:
-                        self.log.error(
-                            "Failed to add %s to %s: %s" %
-                            (nickname, paths.IPA_NSSDB_DIR, e))
+        try:
+            certdb.update_ipa_nssdb()
+        except RuntimeError as e:
+            self.log.error("%s", e)

        tasks.reload_systemwide_ca_store()

--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -112,12 +112,6 @@ class CALessBase(IntegrationTest):
        # Remove the NSS database
        shutil.rmtree(cls.cert_dir)

-        # Remove CA cert in /etc/pki/nssdb, in case of failed (un)install
-        for host in cls.get_all_hosts():
-            cls.master.run_command(['certutil', '-d', paths.NSS_DB_DIR, '-D',
-                                    '-n', 'External CA cert'],
-                                   raiseonerr=False)
-
        super(CALessBase, cls).uninstall(mh)

    @classmethod
@@ -343,12 +337,6 @@ class TestServerInstall(CALessBase):
    def tearDown(self):
        self.uninstall_server()

-        # Remove CA cert in /etc/pki/nssdb, in case of failed (un)install
-        for host in self.get_all_hosts():
-            self.master.run_command(['certutil', '-d', paths.NSS_DB_DIR, '-D',
-                                     '-n', 'External CA cert'],
-                                    raiseonerr=False)
-
    def test_nonexistent_ca_pem_file(self):
        "IPA server install with non-existent CA PEM file "

@@ -769,12 +757,7 @@ class TestReplicaInstall(CALessBase):
        self.master.run_command(['ipa', 'host-del', replica.hostname],
                                raiseonerr=False)

-        replica.run_command(['certutil', '-d', paths.NSS_DB_DIR, '-D',
-                             '-n', 'External CA cert'], raiseonerr=False)
-
        self.uninstall_server()
-        self.master.run_command(['certutil', '-d', paths.NSS_DB_DIR, '-D',
-                                 '-n', 'External CA cert'], raiseonerr=False)

    def test_no_certs(self):
        "IPA replica install without certificates"