diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 4fde6c66e..9cf160fac 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -165,6 +165,7 @@ class BasePathNamespace(object): BIN_KVNO = "/usr/bin/kvno" LDAPMODIFY = "/usr/bin/ldapmodify" LDAPPASSWD = "/usr/bin/ldappasswd" + MODUTIL = "/usr/bin/modutil" NET = "/usr/bin/net" BIN_NISDOMAINNAME = "/usr/bin/nisdomainname" NSUPDATE = "/usr/bin/nsupdate" diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index b53333a84..ca3bcc87e 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -351,11 +351,25 @@ class HTTPInstance(service.Service): os.chown(pwd_conf, pent.pw_uid, pent.pw_gid) os.chmod(pwd_conf, 0o400) + def disable_system_trust(self): + name = 'Root Certs' + args = [paths.MODUTIL, '-dbdir', paths.HTTPD_ALIAS_DIR, '-force'] + + result = ipautil.run(args + ['-list', name], + env={}, + capture_output=True) + if 'Status: Enabled' in result.output: + ipautil.run(args + ['-disable', name], env={}) + return True + + return False + def __setup_ssl(self): db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR, subject_base=self.subject_base, user="root", group=constants.HTTPD_GROUP, truncate=(not self.promote)) + self.disable_system_trust() if self.pkcs12_info: if self.ca_is_configured: trust_flags = 'CT,C,C' diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 993835ed1..1706079da 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1521,6 +1521,21 @@ def setup_pkinit(krb): krb.start() +def disable_httpd_system_trust(http): + ca_certs = [] + + db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) + for nickname, trust_flags in db.list_certs(): + if 'u' not in trust_flags: + cert = db.get_cert_from_db(nickname, pem=False) + if cert: + ca_certs.append((cert, nickname, trust_flags)) + + if http.disable_system_trust(): + for cert, nickname, trust_flags in ca_certs: + db.add_cert(cert, nickname, trust_flags) + + def upgrade_configuration(): """ Execute configuration upgrade of the IPA services @@ -1656,6 +1671,7 @@ def upgrade_configuration(): http.enable_kdcproxy() http.stop() + disable_httpd_system_trust(http) update_ipa_httpd_service_conf(http) update_mod_nss_protocol(http) update_mod_nss_cipher_suite(http)