ipa-client-install: Publish CA certificate to systemwide store

During the installation, copy the CA certificate to the systemwide
store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the
systemwide CA database.

This allows browsers to access IPA WebUI without warning out of the
box.

https://fedorahosted.org/freeipa/ticket/3504

ipa-client/ipa-install/ipa-client-install

@@ -673,6 +673,9 @@ def uninstall(options, env):
         root_logger.warning('Please remove /etc/ipa/default.conf manually, '
                             'as it can cause subsequent installation to fail.')
 
+    # Remove the CA cert from the systemwide certificate store
+    ipaservices.remove_ca_cert_from_systemwide_ca_store(CACERT)
+
     # Remove the CA cert
     try:
         os.remove(CACERT)
@@ -2403,12 +2406,20 @@ def install(options, env, fstore, statestore):
             return CLIENT_INSTALL_ERROR
         root_logger.info("Configured /etc/sssd/sssd.conf")
 
+    # Add the CA to the platform-dependant systemwide CA store
+    ipaservices.insert_ca_cert_into_systemwide_ca_store(CACERT)
+
     # Add the CA to the default NSS database and trust it
     try:
-        run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT])
+        root_logger.debug("Attempting to add CA directly to the "
+                          "default NSS database.")
+        run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb",
+             "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT])
     except CalledProcessError, e:
         root_logger.info("Failed to add CA to the default NSS database.")
         return CLIENT_INSTALL_ERROR
+    else:
+        root_logger.info('Added the CA to the default NSS database.')
 
     host_principal = 'host/%s@%s' % (hostname, cli_realm)
     if options.on_master:

ipapython/platform/fedora19/__init__.py

@@ -17,6 +17,14 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 
+import shutil
+import os
+
+from subprocess import CalledProcessError
+
+from ipapython.ipa_log_manager import root_logger
+from ipapython.ipautil import run
+
 from ipapython.platform import fedora18, base
 
 # All what we allow exporting directly from this module
@@ -38,10 +46,19 @@ from ipapython.platform import fedora18, base
 #                    applicable
 # check_selinux_status -- platform-specific way to see if SELinux is enabled
 #                         and restorecon is installed.
+# insert_ca_cert_into_systemwide_ca_store - platform-specific way to insert our
+#                                           CA certificate into the systemwide
+#                                           CA store
+# remove_ca_cert_from_systemwide_ca_store - platform-specific way to remove our
+#                                           CA certificate from the systemwide
+#                                           CA store
+
 
 __all__ = ['authconfig', 'service', 'knownservices',
     'backup_and_replace_hostname', 'restore_context', 'check_selinux_status',
-    'restore_network_configuration', 'timedate_services']
+    'restore_network_configuration', 'timedate_services',
+    'insert_ca_cert_into_systemwide_ca_store',
+    'remove_ca_cert_from_systemwide_ca_store']
 
 # Just copy a referential list of timedate services
 timedate_services = list(base.timedate_services)
@@ -53,3 +70,51 @@ service = fedora18.service
 knownservices = fedora18.knownservices
 restore_context = fedora18.restore_context
 check_selinux_status = fedora18.check_selinux_status
+
+systemwide_ca_store = '/etc/pki/ca-trust/source/anchors/'
+
+
+def insert_ca_cert_into_systemwide_ca_store(cacert_path):
+    # Add the 'ipa-' prefix to cert name to avoid name collisions
+    cacert_name = os.path.basename(cacert_path)
+    new_cacert_path = os.path.join(systemwide_ca_store, 'ipa-%s' % cacert_name)
+
+    # Add the CA to the systemwide CA trust database
+    try:
+        shutil.copy(cacert_path, new_cacert_path)
+        run(['/usr/bin/update-ca-trust'])
+    except OSError, e:
+        root_logger.info("Failed to copy %s to %s" % (cacert_path,
+                                                      new_cacert_path))
+    except CalledProcessError, e:
+        root_logger.info("Failed to add CA to the systemwide "
+                         "CA trust database: %s" % str(e))
+    else:
+        root_logger.info('Added the CA to the systemwide CA trust database.')
+        return True
+
+    return False
+
+
+def remove_ca_cert_from_systemwide_ca_store(cacert_path):
+    # Derive the certificate name in the store
+    cacert_name = os.path.basename(cacert_path)
+    new_cacert_path = os.path.join(systemwide_ca_store, 'ipa-%s' % cacert_name)
+
+    # Remove CA cert from systemwide store
+    if os.path.exists(new_cacert_path):
+        try:
+            os.remove(new_cacert_path)
+            run(['/usr/bin/update-ca-trust'])
+        except OSError, e:
+            root_logger.error('Could not remove: %s, %s'
+                               % (new_cacert_path, str(e)))
+            return False
+        except CalledProcessError, e:
+            root_logger.error('Could not update systemwide CA trust '
+                              'database: %s' % str(e))
+            return False
+        else:
+            root_logger.info('Systemwide CA database updated.')
+
+    return True

ipapython/services.py.in

@@ -55,4 +55,13 @@ from ipapython.platform.base import SVC_LIST_FILE
 def get_svc_list_file():
     return SVC_LIST_FILE
 
+def insert_ca_cert_into_systemwide_ca_store_default(path):
+    return True
+
+def remove_ca_cert_from_systemwide_ca_store_default(path):
+    return True
+
+insert_ca_cert_into_systemwide_ca_store = insert_ca_cert_into_systemwide_ca_store_default
+remove_ca_cert_from_systemwide_ca_store = remove_ca_cert_from_systemwide_ca_store_default
+
 from ipapython.platform.SUPPORTED_PLATFORM import *