IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

certmonger: Use explicit storage format

Browse Source 
Add storage='NSSDB' to various places. It makes it a bit easier to track
down NSSDB usage.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit is contained in:
Christian Heimes
2018-01-16 13:43:25 +01:00
parent 2d8d5ad8d9
commit 88fd3f9435
5 changed files with 27 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
ipaclient/install/client.py
View File

@@ -788,8 +788,13 @@ def configure_certmonger(
try: try:
certmonger.request_cert( certmonger.request_cert(
certpath=paths.IPA_NSSDB_DIR, certpath=paths.IPA_NSSDB_DIR,
nickname='Local IPA host', subject=subject, dns=[hostname], storage='NSSDB',
principal=principal, passwd_fname=passwd_fname) nickname='Local IPA host',
subject=subject,
dns=[hostname],
principal=principal,
passwd_fname=passwd_fname
)
except Exception as ex: except Exception as ex:
logger.error( logger.error(
"%s request for host certificate failed: %s", "%s request for host certificate failed: %s",

13
ipaserver/install/certs.py
View File

@@ -639,11 +639,14 @@ class CertDB(object):
return self.nssdb.export_pem_cert(nickname, location) return self.nssdb.export_pem_cert(nickname, location)
def request_service_cert(self, nickname, principal, host): def request_service_cert(self, nickname, principal, host):
certmonger.request_and_wait_for_cert(certpath=self.secdir, certmonger.request_and_wait_for_cert(
nickname=nickname, certpath=self.secdir,
principal=principal, storage='NSSDB',
subject=host, nickname=nickname,
passwd_fname=self.passwd_fname) principal=principal,
subject=host,
passwd_fname=self.passwd_fname
)
def is_ipa_issued_cert(self, api, nickname): def is_ipa_issued_cert(self, api, nickname):
""" """

4
ipaserver/install/dsinstance.py
View File

@@ -832,6 +832,7 @@ class DsInstance(service.Service):
cmd = 'restart_dirsrv %s' % self.serverid cmd = 'restart_dirsrv %s' % self.serverid
certmonger.request_and_wait_for_cert( certmonger.request_and_wait_for_cert(
certpath=dirname, certpath=dirname,
storage='NSSDB',
nickname=self.nickname, nickname=self.nickname,
principal=self.principal, principal=self.principal,
passwd_fname=dsdb.passwd_fname, passwd_fname=dsdb.passwd_fname,
@@ -839,7 +840,8 @@ class DsInstance(service.Service):
ca='IPA', ca='IPA',
profile=dogtag.DEFAULT_PROFILE, profile=dogtag.DEFAULT_PROFILE,
dns=[self.fqdn], dns=[self.fqdn],
post_command=cmd) post_command=cmd
)
finally: finally:
if prev_helper is not None: if prev_helper is not None:
certmonger.modify_ca_helper('IPA', prev_helper) certmonger.modify_ca_helper('IPA', prev_helper)

3
ipaserver/install/httpinstance.py
View File

@@ -361,8 +361,7 @@ class HTTPInstance(service.Service):
ca='IPA', ca='IPA',
profile=dogtag.DEFAULT_PROFILE, profile=dogtag.DEFAULT_PROFILE,
dns=[self.fqdn], dns=[self.fqdn],
post_command='restart_httpd', post_command='restart_httpd'
storage='FILE',
) )
finally: finally:
if prev_helper is not None: if prev_helper is not None:

13
ipaserver/install/krbinstance.py
View File

@@ -430,18 +430,21 @@ class KrbInstance(service.Service):
'--agent-submit' '--agent-submit'
] ]
helper = " ".join(ca_args) helper = " ".join(ca_args)
prev_helper = certmonger.modify_ca_helper(certmonger_ca, helper) prev_helper = certmonger.modify_ca_helper(
certmonger_ca, helper
)
certmonger.request_and_wait_for_cert( certmonger.request_and_wait_for_cert(
certpath, certpath=certpath,
subject, subject=subject,
krbtgt, principal=krbtgt,
ca=certmonger_ca, ca=certmonger_ca,
dns=self.fqdn, dns=self.fqdn,
storage='FILE', storage='FILE',
profile=KDC_PROFILE, profile=KDC_PROFILE,
post_command='renew_kdc_cert', post_command='renew_kdc_cert',
perms=(0o644, 0o600)) perms=(0o644, 0o600)
)
except dbus.DBusException as e: except dbus.DBusException as e:
# if the certificate is already tracked, ignore the error # if the certificate is already tracked, ignore the error
name = e.get_dbus_name() name = e.get_dbus_name()