URL: https://github.com/freeipa/freeipa/pull/580 Author: stlaz Title: #580: Fix KDC certificates export on DL0 Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/580/head:pr580 git checkout pr580
From 280af15a914aa7ec4faf83eb6016e917442d6500 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Tue, 14 Mar 2017 09:17:51 +0100 Subject: [PATCH] Fix KDC certificates export on DL0 https://pagure.io/freeipa/issue/6759 --- ipaserver/install/certs.py | 16 +++++++++++----- ipaserver/install/ipa_replica_prepare.py | 20 ++++++-------------- 2 files changed, 17 insertions(+), 19 deletions(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 660da79..4bcc009 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -75,11 +75,17 @@ def install_key_from_p12(p12_fname, p12_passwd, pem_fname): "-passin", "file:" + pwd.name]) -def export_pem_p12(pkcs12_fname, pkcs12_pwd_fname, nickname, pem_fname): - ipautil.run([paths.OPENSSL, "pkcs12", - "-export", "-name", nickname, - "-in", pem_fname, "-out", pkcs12_fname, - "-passout", "file:" + pkcs12_pwd_fname]) +def export_pem_p12(pkcs12_fname, pkcs12_pwd_fname, nickname, pem_fname, + key_fname=None): + args = [ + paths.OPENSSL, "pkcs12", + "-export", "-name", nickname, + "-in", pem_fname, "-out", pkcs12_fname, + "-passout", "file:" + pkcs12_pwd_fname + ] + if key_fname is not None: + args.extend(['-inkey', key_fname]) + ipautil.run(args) class CertDB(object): diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index da13e74..044c993 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -447,7 +447,10 @@ def copy_pkinit_certificate(self): self.copy_info_file(self.pkinit_pkcs12_file.name, "pkinitcert.p12") else: self.log.info("Creating SSL certificate for the KDC") - self.export_certdb("pkinitcert", passwd_fname, is_kdc=True) + pkcs12_fname = os.path.join(self.dir, "pkinitcert.p12") + certs.export_pem_p12( + pkcs12_fname, passwd_fname, "KDC-Cert", + pem_fname=paths.KDC_CERT, key_fname=paths.KDC_KEY) def copy_misc_files(self): self.log.info("Copying additional files") @@ -596,11 +599,7 @@ def export_certdb(self, fname, passwd_fname, is_kdc=False): hostname = self.replica_fqdn subject_base = self.subject_base - if is_kdc: - nickname = "KDC-Cert" - else: - nickname = "Server-Cert" - + nickname = "Server-Cert" try: db = certs.CertDB( api.env.realm, nssdir=self.dir, subject_base=subject_base) @@ -611,11 +610,7 @@ def export_certdb(self, fname, passwd_fname, is_kdc=False): pkcs12_fname = os.path.join(self.dir, fname + ".p12") try: - if is_kdc: - certs.export_pem_p12(pkcs12_fname, passwd_fname, - nickname, os.path.join(self.dir, "kdc.pem")) - else: - db.export_pkcs12(pkcs12_fname, passwd_fname, nickname) + db.export_pkcs12(pkcs12_fname, passwd_fname, nickname) except ipautil.CalledProcessError as e: self.log.info("error exporting Server certificate: %s", e) installutils.remove_file(pkcs12_fname) @@ -626,9 +621,6 @@ def export_certdb(self, fname, passwd_fname, is_kdc=False): self.remove_info_file("secmod.db") self.remove_info_file("noise.txt") - if is_kdc: - self.remove_info_file("kdc.pem") - orig_filename = passwd_fname + ".orig" if ipautil.file_exists(orig_filename): installutils.remove_file(orig_filename)
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
