URL: https://github.com/freeipa/freeipa/pull/173 Author: frasertweedale Title: #173: Ensure correct IPA CA nickname in DS and HTTP NSSDBs Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/173/head:pr173 git checkout pr173
From a6ce7e03adecb86c8f5ecd9170ae6f6e4dbb6466 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <[email protected]> Date: Thu, 20 Oct 2016 14:42:17 +1000 Subject: [PATCH] Ensure correct IPA CA nickname in DS and HTTP NSSDBs During replica installation, if the IPA deployment has a custom subject_base, the routines that create the DS and HTTP NSSDBs erroneously compare the subject of CA certs to the *default* subject base. This causes the IPA CA cert to be added to the NSSDBs with a nickname derived from the subject name, instead of "{REALM} IPA CA". At a later stage of installation, the `upload_cacrt` plugin reads certs from the HTTP NSSDB in order to update the cn=certificates LDAP certstore. The NSSDB nickname of the cert is used as the CN for the entry. Because the IPA CA cert was not installed in the HTTP NSSDB with the "{REALM} IPA CA", this causes a spurious entry for the IPA CA to be added to the certstore. To avoid this scenario, use the deployment's actual subject base when deciding if a cert is the IPA CA cert. Fixes: https://fedorahosted.org/freeipa/ticket/6415 --- ipaserver/install/dsinstance.py | 2 +- ipaserver/install/server/replicainstall.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index a58f8eb..f4cb247 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -1265,7 +1265,7 @@ def __get_ds_keytab(self): os.chown(paths.DS_KEYTAB, pent.pw_uid, pent.pw_gid) def __get_ds_cert(self): - subject = DN(('O', self.realm)) + subject = self.subject_base or DN(('O', self.realm)) nssdb_dir = config_dirname(self.serverid) db = certs.CertDB(self.realm, nssdir=nssdb_dir, subject_base=subject) db.request_service_cert(self.nickname, self.principal, self.fqdn) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index aeae6b3..7e04374 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -93,7 +93,7 @@ def install_http_certs(config, fstore, remote_api): # Obtain certificate for the HTTP service nssdir = certs.NSS_DIR - subject = DN(('O', config.realm_name)) + subject = config.subject_base or DN(('O', config.realm_name)) db = certs.CertDB(config.realm_name, nssdir=nssdir, subject_base=subject) db.request_service_cert('Server-Cert', principal, config.host_name, True)
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
