mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-15 10:51:56 -06:00
ba8a10fbdb
Use /etc/httpd/alias instead of /var/lib/ipa/radb in upload_cacrt, as /var/lib/ipa/radb is not populated in CA-less. Do not migrate ipaCert from /etc/httpd/alias to /var/lib/ipa/radb in CA-less, as it might be an incorrect certificate from previous CA-ful install, and is not necessary anyway. https://fedorahosted.org/freeipa/ticket/5959 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
76 lines
2.6 KiB
Python
76 lines
2.6 KiB
Python
#
|
|
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
|
|
#
|
|
|
|
import binascii
|
|
import os
|
|
|
|
from ipalib import Registry
|
|
from ipalib import Updater
|
|
from ipalib.constants import IPAAPI_USER, IPAAPI_GROUP
|
|
from ipalib.install import certmonger
|
|
from ipaplatform.paths import paths
|
|
from ipapython import certdb
|
|
|
|
register = Registry()
|
|
|
|
|
|
@register()
|
|
class update_ra_cert_store(Updater):
|
|
"""
|
|
Moves the cert store from /etc/httpd/alias to /var/lib/ipa/radb
|
|
"""
|
|
|
|
def execute(self, **options):
|
|
ca_enabled = self.api.Command.ca_is_enabled()['result']
|
|
if not ca_enabled:
|
|
return False, []
|
|
|
|
olddb = certdb.NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR)
|
|
if not olddb.has_nickname('ipaCert'):
|
|
# Nothign to do
|
|
return False, []
|
|
|
|
newdb = certdb.NSSDatabase(nssdir=paths.IPA_RADB_DIR)
|
|
if os.path.exists(paths.IPA_RADB_DIR):
|
|
if newdb.has_nickname('ipaCert'):
|
|
self.log.warning(
|
|
"An 'ipaCert' nickname exists in both the old {} and the "
|
|
"new {} NSS Databases!".format(paths.HTTPD_ALIAS_DIR,
|
|
paths.IPA_RADB_DIR))
|
|
return False, []
|
|
else:
|
|
# Create the DB
|
|
newdb.create_db(user=IPAAPI_USER, group=IPAAPI_GROUP, backup=True)
|
|
|
|
# Import cert chain (ignore errors, as certs may already be imported)
|
|
certlist = olddb.list_certs()
|
|
certflags = {}
|
|
for name, flags in certlist:
|
|
certflags[name] = flags
|
|
for name in olddb.get_trust_chain('ipaCert'):
|
|
if name == 'ipaCert':
|
|
continue
|
|
try:
|
|
cert = olddb.get_cert(name, pem=True)
|
|
newdb.add_cert(cert, name, certflags[name], pem=True)
|
|
except Exception as e: # pylint disable=broad-except
|
|
self.log.warning("Failed to import '{}' from trust "
|
|
"chain: {}".format(name, str(e)))
|
|
|
|
# As the last step export/import/delete the RA Cert
|
|
pw = binascii.hexlify(os.urandom(10))
|
|
p12file = os.path.join(paths.IPA_RADB_DIR, 'ipaCert.p12')
|
|
olddb.export_pkcs12('ipaCert', p12file, pw)
|
|
newdb.import_pkcs12(p12file, pw)
|
|
|
|
certmonger.stop_tracking(secdir=olddb.secdir,
|
|
nickname='ipaCert')
|
|
certmonger.start_tracking(secdir=newdb.secdir,
|
|
nickname='ipaCert',
|
|
password_file=newdb.pwd_file)
|
|
|
|
olddb.delete_cert('ipaCert')
|
|
|
|
return False, []
|