replica install: validate DS and HTTP server certificates

Validate the DS and HTTP certificates from the replica info file early in ipa-replica-install to prevent crashes later. https://fedorahosted.org/freeipa/ticket/5598 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-01-21 15:48:30 +01:00 · 2016-01-21 15:48:30 +01:00 · 465ce82a4d
commit 465ce82a4d
parent f9ed0b6ff8
1 changed files with 30 additions and 1 deletions
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@ -502,6 +502,8 @@ def install_check(installer):
    config.setup_ca = options.setup_ca
    config.setup_kra = options.setup_kra

+    ca_enabled = ipautil.file_exists(config.dir + "/cacert.p12")
+
    # Create the management framework config file
    # Note: We must do this before bootstraping and finalizing ipalib.api
    old_umask = os.umask(0o22)   # must be readable for httpd
@ -517,7 +519,7 @@ def install_check(installer):
                 ipautil.format_netloc(config.host_name))
        fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" %
                 installutils.realm_to_serverid(config.realm_name))
-        if ipautil.file_exists(config.dir + "/cacert.p12"):
+        if ca_enabled:
            fd.write("enable_ra=True\n")
            fd.write("ra_plugin=dogtag\n")
            fd.write("dogtag_version=10\n")
@ -543,6 +545,33 @@ def install_check(installer):
        raise RuntimeError("CA cert file is not available. Please run "
                           "ipa-replica-prepare to create a new replica file.")

+    for pkcs12_name, pin_name in (('dscert.p12', 'dirsrv_pin.txt'),
+                                  ('httpcert.p12', 'http_pin.txt')):
+        pkcs12_info = make_pkcs12_info(config.dir, pkcs12_name, pin_name)
+        tmp_db_dir = tempfile.mkdtemp('ipa')
+        try:
+            tmp_db = certs.CertDB(config.realm_name,
+                                  nssdir=tmp_db_dir,
+                                  subject_base=config.subject_base)
+            if ca_enabled:
+                trust_flags = 'CT,C,C'
+            else:
+                trust_flags = None
+            tmp_db.create_from_pkcs12(pkcs12_info[0], pkcs12_info[1],
+                                      ca_file=cafile,
+                                      trust_flags=trust_flags)
+            if not tmp_db.find_server_certs():
+                raise RuntimeError(
+                    "Could not find a suitable server cert in import in %s" %
+                    pkcs12_info[0])
+        except Exception as e:
+            root_logger.error('%s', e)
+            raise RuntimeError(
+                "Server cert is not valid. Please run ipa-replica-prepare to "
+                "create a new replica file.")
+        finally:
+            shutil.rmtree(tmp_db_dir)
+
    ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name)
    remote_api = create_api(mode=None)
    remote_api.bootstrap(in_server=True, context='installer',