mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
64d187e56e
In the get_trust_chain method, use certutil -O with the option --simple-self-signed to make sure that self-signed certs properly get processed. Note: this option has been introduced in nss 3.38 and our spec file already requires nss >= 3.41. Scenario: when IPA CA is switched from self-signed to externally-signed, then back to self-signed, the same nickname can be used in /etc/pki/pki-tomcat/alias for the initial cert and the renewed certs. If the original and renewed certs are present in the NSS db, running $ certutil -O -n <IPA CA alias> produces a complex output like the following (this command is used to find the trust chain): "CN=Cert Auth,O=ExtAuth" [CN=Cert Auth,O=ExtAuth] "caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM] "caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM] The renewal code is disturbed by this output. If, on the contrary, certutil -O --simple-self-signed -n <IPA CA alias> is used to extract the trust chain, the output is as expected for a self-signed cert: "caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM] As a result, the scenario self-signed > externally signed > self-signed works. Fixes: https://pagure.io/freeipa/issue/7926 Reviewed-By: Oleg Kozlov <okozlov@redhat.com> |
||
---|---|---|
.. | ||
install | ||
__init__.py | ||
admintool.py | ||
certdb.py | ||
config.py | ||
cookie.py | ||
directivesetter.py | ||
dn_ctypes.py | ||
dn.py | ||
dnsutil.py | ||
dogtag.py | ||
errors.py | ||
graph.py | ||
ipa_log_manager.py | ||
ipaldap.py | ||
ipautil.py | ||
ipavalidate.py | ||
kerberos.py | ||
kernel_keyring.py | ||
Makefile.am | ||
nsslib.py | ||
README | ||
session_storage.py | ||
setup.cfg | ||
setup.py | ||
ssh.py | ||
version.py.in |
This is a set of libraries common to IPA clients and servers though mostly geared currently towards command-line tools. A brief overview: config.py - identify the IPA server domain and realm. It uses python-dns to try to detect this information first and will fall back to /etc/ipa/default.conf if that fails. ipautil.py - helper functions entity.py - entity is the main data type. User and Group extend this class (but don't add anything currently). ipavalidate.py - basic data validation routines