IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Specify cert_paths when calling PKIConnection

Browse Source 
PKIConnection now defaults to specifying verify=True. We've introduced
a new parameter, cert_paths, to specify additional paths (directories or
files) to load as certificates. Specify the IPA CA certificate file so
we can guarantee connections succeed and validate the peer's certificate.

Point to IPA CA certificate during pkispawn

Bump pki_version to 10.9.0-0.4 (aka -b2)

Fixes: https://pagure.io/freeipa/issue/8379
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849155
Related: https://github.com/dogtagpki/pki/pull/443
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1426572
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
Alexander Scheel
2020-06-19 08:48:56 -04:00
committed by Christian Heimes
parent 6a0901f6fd
commit a087d82e78
5 changed files with 19 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
freeipa.spec.in
View File

@@ -112,9 +112,9 @@
# Fedora # Fedora
%endif %endif
# 10.7.3 supports LWCA key replication using AES # PKIConnection has been modified to always validate certs.
# https://pagure.io/freeipa/issue/8020 # https://pagure.io/freeipa/issue/8379
%global pki_version 10.7.3-1 %global pki_version 10.9.0-0.4
# https://pagure.io/certmonger/issue/90 # https://pagure.io/certmonger/issue/90
%global certmonger_version 0.79.7-1 %global certmonger_version 0.79.7-1

3
install/tools/ipa-pki-wait-running.in
View File

@@ -59,7 +59,8 @@ def get_conn(hostname, subsystem):
""" """
conn = PKIConnection( conn = PKIConnection(
hostname=hostname, hostname=hostname,
subsystem=subsystem subsystem=subsystem,
cert_paths=paths.IPA_CA_CRT
) )
logger.info( logger.info(
"Created connection %s://%s:%s/%s", "Created connection %s://%s:%s/%s",

7
ipaserver/install/cainstance.py
View File

@@ -509,6 +509,13 @@ class CAInstance(DogtagInstance):
else: else:
pki_pin = None pki_pin = None
# When spawning a CA instance, always point to IPA_CA_CRT if it
# exists. Later, when we're performing step 2 of an external CA
# installation, we'll overwrite this key to point to the real
# external CA.
if os.path.exists(paths.IPA_CA_CRT):
cfg['pki_cert_chain_path'] = paths.IPA_CA_CRT
if self.clone: if self.clone:
if self.no_db_setup: if self.no_db_setup:
cfg.update( cfg.update(

3
ipaserver/install/dogtaginstance.py
View File

@@ -70,7 +70,8 @@ def get_security_domain():
connection = PKIConnection( connection = PKIConnection(
protocol='https', protocol='https',
hostname=api.env.ca_host, hostname=api.env.ca_host,
port='8443' port='8443',
cert_paths=paths.IPA_CA_CRT
) )
domain_client = pki.system.SecurityDomainClient(connection) domain_client = pki.system.SecurityDomainClient(connection)
info = domain_client.get_security_domain_info() info = domain_client.get_security_domain_info()

11
ipaserver/plugins/dogtag.py
View File

@@ -1969,13 +1969,12 @@ class kra(Backend):
'https', 'https',
self.kra_host, self.kra_host,
str(self.kra_port), str(self.kra_port),
'kra') 'kra',
cert_paths=paths.IPA_CA_CRT
)
connection.session.cert = (paths.RA_AGENT_PEM, paths.RA_AGENT_KEY) connection.set_authentication_cert(paths.RA_AGENT_PEM,
# uncomment the following when this commit makes it to release paths.RA_AGENT_KEY)
# https://git.fedorahosted.org/cgit/pki.git/commit/?id=71ae20c
# connection.set_authentication_cert(paths.RA_AGENT_PEM,
# paths.RA_AGENT_KEY)
try: try:
yield KRAClient(connection, crypto) yield KRAClient(connection, crypto)