freeipa/ipaplatform/redhat
Sam Morris 3985183d73 Debian: write out only one CA certificate per file
ca-certificates populates /etc/ssl/certs with symlinks to its input
files and then runs 'openssl rehash' to create the symlinks that libssl
uses to look up a CA certificate to see if it is trused.

'openssl rehash' ignores any files that contain more than one
certificate: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945274>.

With this change, we write out trusted CA certificates to
/usr/local/share/ca-certificates/ipa-ca, one certificate per file.

The logic that decides whether to reload the store is moved up into the
original `insert_ca_certs_into_systemwide_ca_store` and
`remove_ca_certs_from_systemwide_ca_store` methods. These methods now
also handle any exceptions that may be thrown while updating the store.

The functions that actually manipulate the store are factored out into
new `platform_{insert,remove}_ca_certs` methods, which implementations
must override.

These new methods also orchestrate the cleanup of deprecated files (such
as `/etc/pki/ca-trust/source/anchors/ipa-ca.crt`), rather than having
the cleanup code be included in the same method that creates
`/etc/pki/ca-trust/source/ipa.p11-kit`.

As well as creating `/usr/local/share/ca-certificates/ipa-ca`, Debian
systems will now also have
`/usr/local/share/ca-certificates/ipa.p11-kit` be created. Note that
`p11-kit` in Debian does not use this file.

Fixes: https://pagure.io/freeipa/issue/8106
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-04-08 14:17:31 +03:00
..
__init__.py Split off generic Red Hat-like platform code from Fedora platform code 2014-10-09 15:37:24 +02:00
authconfig.py authconfig.py: restore user-nsswitch.conf at uninstall time 2019-08-29 17:34:27 +02:00
constants.py Don't hard-code client's TLS versions and ciphers 2019-12-02 16:48:07 +01:00
paths.py Use tasks to configure automount nsswitch settings 2019-08-28 22:15:50 -04:00
services.py Add ExecStartPost hook to wait for Dogtag PKI 2019-04-24 09:09:28 +02:00
tasks.py Debian: write out only one CA certificate per file 2020-04-08 14:17:31 +03:00