mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
3985183d73
ca-certificates populates /etc/ssl/certs with symlinks to its input files and then runs 'openssl rehash' to create the symlinks that libssl uses to look up a CA certificate to see if it is trused. 'openssl rehash' ignores any files that contain more than one certificate: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945274>. With this change, we write out trusted CA certificates to /usr/local/share/ca-certificates/ipa-ca, one certificate per file. The logic that decides whether to reload the store is moved up into the original `insert_ca_certs_into_systemwide_ca_store` and `remove_ca_certs_from_systemwide_ca_store` methods. These methods now also handle any exceptions that may be thrown while updating the store. The functions that actually manipulate the store are factored out into new `platform_{insert,remove}_ca_certs` methods, which implementations must override. These new methods also orchestrate the cleanup of deprecated files (such as `/etc/pki/ca-trust/source/anchors/ipa-ca.crt`), rather than having the cleanup code be included in the same method that creates `/etc/pki/ca-trust/source/ipa.p11-kit`. As well as creating `/usr/local/share/ca-certificates/ipa-ca`, Debian systems will now also have `/usr/local/share/ca-certificates/ipa.p11-kit` be created. Note that `p11-kit` in Debian does not use this file. Fixes: https://pagure.io/freeipa/issue/8106 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Timo Aaltonen <tjaalton@debian.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com> |
||
---|---|---|
.. | ||
__init__.py | ||
authconfig.py | ||
constants.py | ||
paths.py | ||
services.py | ||
tasks.py |