mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
43222cb855
If NSSDatabase() throws a ValueError it means we can't open it to look for an existing ipaCert to migrate. Chances are there is no certificate to migrate at this point in Fedora so don't let it blow up the entire installation/upgrade. Warn the user and let them figure it out. We have no real path forward on this and by proceeding it could lead to more errors (like no RA) but it is extremely unlikely and would require a user to upgrade from very old Fedora to very new Fedora in one step. https://pagure.io/freeipa/issue/8675 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Levin <slev@altlinux.org>
74 lines
2.3 KiB
Python
74 lines
2.3 KiB
Python
#
|
|
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
|
|
#
|
|
|
|
from __future__ import absolute_import
|
|
|
|
import logging
|
|
import os
|
|
import tempfile
|
|
|
|
from ipalib import Registry
|
|
from ipalib import Updater
|
|
from ipalib.install import certmonger
|
|
from ipaplatform.paths import paths
|
|
from ipapython.certdb import NSSDatabase
|
|
from ipaserver.install import cainstance
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
register = Registry()
|
|
|
|
|
|
@register()
|
|
class update_ra_cert_store(Updater):
|
|
"""
|
|
Moves the ipaCert store from /etc/httpd/alias RA_AGENT_PEM, RA_AGENT_KEY
|
|
files
|
|
"""
|
|
|
|
def execute(self, **options):
|
|
ra_nick = 'ipaCert'
|
|
ca_enabled = self.api.Command.ca_is_enabled()['result']
|
|
if not ca_enabled:
|
|
return False, []
|
|
|
|
try:
|
|
certdb = NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR)
|
|
except ValueError as e:
|
|
logger.warning("Problem opening NSS database in "
|
|
"%s. Skipping check for existing RA "
|
|
"agent certificate: %s", paths.HTTPD_ALIAS_DIR, e)
|
|
return False, []
|
|
|
|
if not certdb.has_nickname(ra_nick):
|
|
# Nothign to do
|
|
return False, []
|
|
elif os.path.exists(paths.RA_AGENT_PEM):
|
|
# even though the certificate file exists, we will overwrite it
|
|
# as it's probabably something wrong anyway
|
|
logger.warning(
|
|
"A certificate with the nickname 'ipaCert' exists in "
|
|
"the old '%s' NSS database as well as in the new "
|
|
"PEM file '%s'",
|
|
paths.HTTPD_ALIAS_DIR, paths.RA_AGENT_PEM)
|
|
|
|
_fd, p12file = tempfile.mkstemp(dir=certdb.secdir)
|
|
# no password is necessary as we will be saving it in clear anyway
|
|
certdb.export_pkcs12(ra_nick, p12file, pkcs12_passwd='')
|
|
|
|
# stop tracking the old cert and remove it
|
|
certmonger.stop_tracking(paths.HTTPD_ALIAS_DIR, nickname=ra_nick)
|
|
certdb.delete_key_and_cert(ra_nick)
|
|
if os.path.exists(paths.OLD_KRA_AGENT_PEM):
|
|
os.remove(paths.OLD_KRA_AGENT_PEM)
|
|
|
|
# get the private key and certificate from the file and start
|
|
# tracking it in certmonger
|
|
ca = cainstance.CAInstance()
|
|
ca.import_ra_cert(p12file)
|
|
|
|
os.remove(p12file)
|
|
|
|
return False, []
|