From 392f44a38a7e97242cfd2145592fbf6038191d09 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Fri, 4 May 2018 12:16:33 +0200 Subject: [PATCH] mod_ssl: add SSLVerifyDepth for external CA installs mod_ssl's limiting of client cert verification depth was causing the replica installs to fail when master had been installed with external CA since the SSLCACertificateFile was pointing to a file with more than one certificate. This is caused by the default SSLVerifyDepth value of 1. We set it to 5 as that should be just about enough even for possible sub-CAs. https://pagure.io/freeipa/issue/7530 Reviewed-By: Christian Heimes Reviewed-By: Rob Crittenden --- ipalib/constants.py | 3 +++ ipaserver/install/httpinstance.py | 7 ++++++- ipatests/test_integration/test_external_ca.py | 5 +++++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/ipalib/constants.py b/ipalib/constants.py index e161d65ad..17d03a591 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -319,3 +319,6 @@ USER_CACHE_PATH = ( ) SOFTHSM_DNSSEC_TOKEN_LABEL = u'ipaDNSSEC' +# Apache's mod_ssl SSLVerifyDepth value (Maximum depth of CA +# Certificates in Client Certificate verification) +MOD_SSL_VERIFY_DEPTH = '5' diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 3b87b9fd9..3167f92c2 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -43,7 +43,7 @@ from ipapython.dn import DN import ipapython.errors from ipaserver.install import sysupgrade from ipalib import api, x509 -from ipalib.constants import IPAAPI_USER +from ipalib.constants import IPAAPI_USER, MOD_SSL_VERIFY_DEPTH from ipaplatform.constants import constants from ipaplatform.tasks import tasks from ipaplatform.paths import paths @@ -418,6 +418,11 @@ class HTTPInstance(service.Service): installutils.set_directive(paths.HTTPD_SSL_CONF, 'SSLCACertificateFile', paths.IPA_CA_CRT, False) + # set SSLVerifyDepth for external CA installations + installutils.set_directive(paths.HTTPD_SSL_CONF, + 'SSLVerifyDepth', + MOD_SSL_VERIFY_DEPTH, + quotes=False) def __publish_ca_cert(self): ca_subject = self.cert.issuer diff --git a/ipatests/test_integration/test_external_ca.py b/ipatests/test_integration/test_external_ca.py index 3bcbcbfdc..cc7e7d60e 100644 --- a/ipatests/test_integration/test_external_ca.py +++ b/ipatests/test_integration/test_external_ca.py @@ -111,6 +111,8 @@ class TestExternalCA(IntegrationTest): """ Test of FreeIPA server installation with exernal CA """ + num_replicas = 1 + @tasks.collect_logs def test_external_ca(self): # Step 1 of ipa-server-install. @@ -131,6 +133,9 @@ class TestExternalCA(IntegrationTest): result = self.master.run_command(['ipa', 'user-show', 'admin']) assert 'User login: admin' in result.stdout_text + # check that we can also install replica + tasks.install_replica(self.master, self.replicas[0]) + class TestSelfExternalSelf(IntegrationTest): """