IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

ipa-client-install: Publish CA certificate to systemwide store

Browse Source 
During the installation, copy the CA certificate to the systemwide
store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the
systemwide CA database.

This allows browsers to access IPA WebUI without warning out of the
box.

https://fedorahosted.org/freeipa/ticket/3504
This commit is contained in:
Tomas Babej 2013-09-24 10:54:57 +02:00 committed by Petr Viktorin
parent 60b472479d
commit 4a0e91449e
3 changed files with 88 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
ipa-client/ipa-install/ipa-client-install
View File

@ -673,6 +673,9 @@ def uninstall(options, env):
root_logger.warning('Please remove /etc/ipa/default.conf manually, '
'as it can cause subsequent installation to fail.')
# Remove the CA cert from the systemwide certificate store
ipaservices.remove_ca_cert_from_systemwide_ca_store(CACERT)
# Remove the CA cert
try:
os.remove(CACERT)
@ -2403,12 +2406,20 @@ def install(options, env, fstore, statestore):
return CLIENT_INSTALL_ERROR
root_logger.info("Configured /etc/sssd/sssd.conf")
# Add the CA to the platform-dependant systemwide CA store
ipaservices.insert_ca_cert_into_systemwide_ca_store(CACERT)
# Add the CA to the default NSS database and trust it
try:
run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT])
root_logger.debug("Attempting to add CA directly to the "
"default NSS database.")
run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb",
"-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", CACERT])
except CalledProcessError, e:
root_logger.info("Failed to add CA to the default NSS database.")
return CLIENT_INSTALL_ERROR
else:
root_logger.info('Added the CA to the default NSS database.')
host_principal = 'host/%s@%s' % (hostname, cli_realm)
if options.on_master:

67
ipapython/platform/fedora19/__init__.py
View File

@ -17,6 +17,14 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import shutil
import os
from subprocess import CalledProcessError
from ipapython.ipa_log_manager import root_logger
from ipapython.ipautil import run
from ipapython.platform import fedora18, base
# All what we allow exporting directly from this module
@ -38,10 +46,19 @@ from ipapython.platform import fedora18, base
# applicable
# check_selinux_status -- platform-specific way to see if SELinux is enabled
# and restorecon is installed.
# insert_ca_cert_into_systemwide_ca_store - platform-specific way to insert our
# CA certificate into the systemwide
# CA store
# remove_ca_cert_from_systemwide_ca_store - platform-specific way to remove our
# CA certificate from the systemwide
# CA store
__all__ = ['authconfig', 'service', 'knownservices',
'backup_and_replace_hostname', 'restore_context', 'check_selinux_status',
'restore_network_configuration', 'timedate_services']
'restore_network_configuration', 'timedate_services',
'insert_ca_cert_into_systemwide_ca_store',
'remove_ca_cert_from_systemwide_ca_store']
# Just copy a referential list of timedate services
timedate_services = list(base.timedate_services)
@ -53,3 +70,51 @@ service = fedora18.service
knownservices = fedora18.knownservices
restore_context = fedora18.restore_context
check_selinux_status = fedora18.check_selinux_status
systemwide_ca_store = '/etc/pki/ca-trust/source/anchors/'
def insert_ca_cert_into_systemwide_ca_store(cacert_path):
# Add the 'ipa-' prefix to cert name to avoid name collisions
cacert_name = os.path.basename(cacert_path)
new_cacert_path = os.path.join(systemwide_ca_store, 'ipa-%s' % cacert_name)
# Add the CA to the systemwide CA trust database
try:
shutil.copy(cacert_path, new_cacert_path)
run(['/usr/bin/update-ca-trust'])
except OSError, e:
root_logger.info("Failed to copy %s to %s" % (cacert_path,
new_cacert_path))
except CalledProcessError, e:
root_logger.info("Failed to add CA to the systemwide "
"CA trust database: %s" % str(e))
else:
root_logger.info('Added the CA to the systemwide CA trust database.')
return True
return False
def remove_ca_cert_from_systemwide_ca_store(cacert_path):
# Derive the certificate name in the store
cacert_name = os.path.basename(cacert_path)
new_cacert_path = os.path.join(systemwide_ca_store, 'ipa-%s' % cacert_name)
# Remove CA cert from systemwide store
if os.path.exists(new_cacert_path):
try:
os.remove(new_cacert_path)
run(['/usr/bin/update-ca-trust'])
except OSError, e:
root_logger.error('Could not remove: %s, %s'
% (new_cacert_path, str(e)))
return False
except CalledProcessError, e:
root_logger.error('Could not update systemwide CA trust '
'database: %s' % str(e))
return False
else:
root_logger.info('Systemwide CA database updated.')
return True

11
ipapython/services.py.in
View File

@ -21,7 +21,7 @@
authconfig = None
# knownservices is an entry point to known platform services
# (instance of ipapython.platform.base.KnownServices)
# (instance of ipapython.platform.base.KnownServices)
knownservices = None
# service is a class to instantiate ipapython.platform.base.PlatformService
@ -55,4 +55,13 @@ from ipapython.platform.base import SVC_LIST_FILE
def get_svc_list_file():
return SVC_LIST_FILE
def insert_ca_cert_into_systemwide_ca_store_default(path):
return True
def remove_ca_cert_from_systemwide_ca_store_default(path):
return True
insert_ca_cert_into_systemwide_ca_store = insert_ca_cert_into_systemwide_ca_store_default
remove_ca_cert_from_systemwide_ca_store = remove_ca_cert_from_systemwide_ca_store_default
from ipapython.platform.SUPPORTED_PLATFORM import *