From 88fd3f9435b2b26df5effc18ea9a89dfa2a64624 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 16 Jan 2018 13:43:25 +0100 Subject: [PATCH] certmonger: Use explicit storage format Add storage='NSSDB' to various places. It makes it a bit easier to track down NSSDB usage. Signed-off-by: Christian Heimes Reviewed-By: Stanislav Laznicka --- ipaclient/install/client.py | 9 +++++++-- ipaserver/install/certs.py | 13 ++++++++----- ipaserver/install/dsinstance.py | 4 +++- ipaserver/install/httpinstance.py | 3 +-- ipaserver/install/krbinstance.py | 13 ++++++++----- 5 files changed, 27 insertions(+), 15 deletions(-) diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index 7d336d95f..e033751ec 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -788,8 +788,13 @@ def configure_certmonger( try: certmonger.request_cert( certpath=paths.IPA_NSSDB_DIR, - nickname='Local IPA host', subject=subject, dns=[hostname], - principal=principal, passwd_fname=passwd_fname) + storage='NSSDB', + nickname='Local IPA host', + subject=subject, + dns=[hostname], + principal=principal, + passwd_fname=passwd_fname + ) except Exception as ex: logger.error( "%s request for host certificate failed: %s", diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index f6102605e..526acfc74 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -639,11 +639,14 @@ class CertDB(object): return self.nssdb.export_pem_cert(nickname, location) def request_service_cert(self, nickname, principal, host): - certmonger.request_and_wait_for_cert(certpath=self.secdir, - nickname=nickname, - principal=principal, - subject=host, - passwd_fname=self.passwd_fname) + certmonger.request_and_wait_for_cert( + certpath=self.secdir, + storage='NSSDB', + nickname=nickname, + principal=principal, + subject=host, + passwd_fname=self.passwd_fname + ) def is_ipa_issued_cert(self, api, nickname): """ diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 49acc9a42..982634b7c 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -832,6 +832,7 @@ class DsInstance(service.Service): cmd = 'restart_dirsrv %s' % self.serverid certmonger.request_and_wait_for_cert( certpath=dirname, + storage='NSSDB', nickname=self.nickname, principal=self.principal, passwd_fname=dsdb.passwd_fname, @@ -839,7 +840,8 @@ class DsInstance(service.Service): ca='IPA', profile=dogtag.DEFAULT_PROFILE, dns=[self.fqdn], - post_command=cmd) + post_command=cmd + ) finally: if prev_helper is not None: certmonger.modify_ca_helper('IPA', prev_helper) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 6acb9126b..21fabf0d3 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -361,8 +361,7 @@ class HTTPInstance(service.Service): ca='IPA', profile=dogtag.DEFAULT_PROFILE, dns=[self.fqdn], - post_command='restart_httpd', - storage='FILE', + post_command='restart_httpd' ) finally: if prev_helper is not None: diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index a70b8c98c..ee22b9e62 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -430,18 +430,21 @@ class KrbInstance(service.Service): '--agent-submit' ] helper = " ".join(ca_args) - prev_helper = certmonger.modify_ca_helper(certmonger_ca, helper) + prev_helper = certmonger.modify_ca_helper( + certmonger_ca, helper + ) certmonger.request_and_wait_for_cert( - certpath, - subject, - krbtgt, + certpath=certpath, + subject=subject, + principal=krbtgt, ca=certmonger_ca, dns=self.fqdn, storage='FILE', profile=KDC_PROFILE, post_command='renew_kdc_cert', - perms=(0o644, 0o600)) + perms=(0o644, 0o600) + ) except dbus.DBusException as e: # if the certificate is already tracked, ignore the error name = e.get_dbus_name()