URL: https://github.com/freeipa/freeipa/pull/694 Author: martbab Title: #694: RFC: implement local PKINIT deployment in server/replica install Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/694/head:pr694 git checkout pr694
From f3f48aa15587eccc8046f36d62397fee634f7090 Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Fri, 31 Mar 2017 15:06:46 +0200 Subject: [PATCH 1/8] Allow for configuration of all three PKINIT variants when deploying KDC The PKINIT setup code now can configure PKINIT using IPA CA signed certificate, 3rd party certificate and local PKINIT with self-signed keypair. The local PKINIT is also selected as a fallback mechanism if the CSR is rejected by CA master or `--no-pkinit` is used. http://www.freeipa.org/page/V4/Kerberos_PKINIT https://pagure.io/freeipa/issue/6830 --- ipaserver/install/krbinstance.py | 143 +++++++++++++++++++++++++-------------- 1 file changed, 91 insertions(+), 52 deletions(-) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 6c105f7..a86cd16 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -38,6 +38,7 @@ from ipalib.install import certmonger from ipapython.ipa_log_manager import root_logger from ipapython.dn import DN +from ipapython.dogtag import KDC_PROFILE from ipaserver.install import replication from ipaserver.install import ldapupdate @@ -354,61 +355,80 @@ def _wait_for_replica_kdc_entry(self): remote_ldap.gssapi_bind() replication.wait_for_entry(remote_ldap, kdc_dn, timeout=60) - def setup_pkinit(self): - if self.pkcs12_info: - certs.install_pem_from_p12(self.pkcs12_info[0], - self.pkcs12_info[1], - paths.KDC_CERT) - certs.install_key_from_p12(self.pkcs12_info[0], - self.pkcs12_info[1], - paths.KDC_KEY) - else: - subject = str(DN(('cn', self.fqdn), self.subject_base)) - krbtgt = "krbtgt/" + self.realm + "@" + self.realm - certpath = (paths.KDC_CERT, paths.KDC_KEY) + def _call_certmonger(self, certmonger_ca='IPA'): + subject = str(DN(('cn', self.fqdn), self.subject_base)) + krbtgt = "krbtgt/" + self.realm + "@" + self.realm + certpath = (paths.KDC_CERT, paths.KDC_KEY) - try: - prev_helper = None - if self.master_fqdn is None: - ca_args = [ - paths.CERTMONGER_DOGTAG_SUBMIT, - '--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn, - '--certfile', paths.RA_AGENT_PEM, - '--keyfile', paths.RA_AGENT_KEY, - '--cafile', paths.IPA_CA_CRT, - '--agent-submit' - ] - helper = " ".join(ca_args) - prev_helper = certmonger.modify_ca_helper('IPA', helper) - else: - self._wait_for_replica_kdc_entry() - - certmonger.request_and_wait_for_cert( - certpath, - subject, - krbtgt, - dns=self.fqdn, - storage='FILE', - profile='KDCs_PKINIT_Certs') - except dbus.DBusException as e: - # if the certificate is already tracked, ignore the error - name = e.get_dbus_name() - if name != 'org.fedorahosted.certmonger.duplicate': - root_logger.error("Failed to initiate the request: %s", e) - return - finally: - if prev_helper is not None: - certmonger.modify_ca_helper('IPA', prev_helper) - - # Finally copy the cacert in the krb directory so we don't - # have any selinux issues with the file context + try: + prev_helper = None + # on the first CA-ful master without '--no-pkinit', we issue the + # certificate by contacting Dogtag directly + use_dogtag_submit = all( + [self.master_fqdn is None, + self.pkcs12_info is None, + self.config_pkinit]) + + if use_dogtag_submit: + ca_args = [ + paths.CERTMONGER_DOGTAG_SUBMIT, + '--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn, + '--certfile', paths.RA_AGENT_PEM, + '--keyfile', paths.RA_AGENT_KEY, + '--cafile', paths.IPA_CA_CRT, + '--agent-submit' + ] + helper = " ".join(ca_args) + prev_helper = certmonger.modify_ca_helper(certmonger_ca, helper) + + certmonger.request_and_wait_for_cert( + certpath, + subject, + krbtgt, + ca=certmonger_ca, + dns=self.fqdn, + storage='FILE', + profile=KDC_PROFILE) + except dbus.DBusException as e: + # if the certificate is already tracked, ignore the error + name = e.get_dbus_name() + if name != 'org.fedorahosted.certmonger.duplicate': + root_logger.error("Failed to initiate the request: %s", e) + return + finally: + if prev_helper is not None: + certmonger.modify_ca_helper(certmonger_ca, prev_helper) + + def issue_selfsigned_pkinit_certs(self): + self._call_certmonger(certmonger_ca="SelfSign") + # for self-signed certificate, the certificate is its own CA, copy it + # as CA cert + shutil.copyfile(paths.KDC_CERT, paths.CACERT_PEM) + + def issue_ipa_ca_signed_pkinit_certs(self): + try: + self._call_certmonger() + shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM) + except RuntimeError as e: + root_logger.error("PKINIT certificate request failed: %s", e) + root_logger.error("Failed to configure PKINIT") + self.stop_tracking_certs() + self.issue_selfsigned_pkinit_certs() + + def install_external_pkinit_certs(self): + certs.install_pem_from_p12(self.pkcs12_info[0], + self.pkcs12_info[1], + paths.KDC_CERT) + certs.install_key_from_p12(self.pkcs12_info[0], + self.pkcs12_info[1], + paths.KDC_KEY) shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM) - try: - self.restart() - except Exception: - root_logger.critical("krb5kdc service failed to restart") - raise + def setup_pkinit(self): + if self.pkcs12_info: + self.install_external_pkinit_certs() + elif self.config_pkinit: + self.issue_ipa_ca_signed_pkinit_certs() def test_anonymous_pkinit(self): with ipautil.private_ccache() as anon_ccache: @@ -418,6 +438,15 @@ def test_anonymous_pkinit(self): raise RuntimeError("Failed to configure anonymous PKINIT") def enable_ssl(self): + """ + generate PKINIT certificate for KDC. If `--no-pkinit` was specified, + only configure local self-signed KDC certificate for use as a FAST + channel generator for WebUI. Do not advertise the installation steps in + this case. + """ + if self.master_fqdn is not None: + self._wait_for_replica_kdc_entry() + if self.config_pkinit: self.steps = [] self.step("installing X509 Certificate for PKINIT", @@ -425,6 +454,16 @@ def enable_ssl(self): self.step("testing anonymous PKINIT", self.test_anonymous_pkinit) self.start_creation() + else: + self.issue_selfsigned_pkinit_certs() + + try: + self.restart() + except Exception: + root_logger.critical("krb5kdc service failed to restart") + raise + + record_pkinit_state_ldap(self.api) def get_anonymous_principal_name(self): return "%s@%s" % (ANON_USER, self.realm) From a7a7d0541f1c3697abcdaa16771f8d51e3c0a71a Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Fri, 31 Mar 2017 14:44:29 +0200 Subject: [PATCH 2/8] API for retrieval of master's PKINIT status and publishing it in LDAP An API was added to retrieve PKINIT status and store it in master's KDC entry during configuration. The PKINIT feature can have the following states: * full PKINIT: PKINIT certificate was issued by IPA CA and all clients with IPA CA configured as PKINIT trust anchor will be able to perform PKINIT and request anonymous TGT from this KDC * external PKINIT: the PKINIT certificate was provided by a 3rd party in a PKCS#12 bundle and all clients that have its root CA as anchor can request TGTs by PKINIT * local PKINIT: PKINIT certificate was self-signed by KDC's private key. This is a fallback mechanism usable only locally on the master hosting the KDC. Its intended use is to provide FAST armoring for password authenticated requests (e.g. WebUI logins) See http://www.freeipa.org/page/V4/Kerberos_PKINIT#Configuration for more details. https://pagure.io/freeipa/issue/6830 --- ipaserver/install/krbinstance.py | 82 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index a86cd16..2ea177e 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -48,6 +48,86 @@ from ipaplatform.tasks import tasks from ipaplatform.paths import paths +PKINIT_ENABLED = 'pkinitEnabled' +PKINIT_DISABLED = 'pkinitDisabled' + + +def get_pkinit_request_ca(): + """ + Return the certmonger CA name which is serving the PKINIT certificate + request. If the certificate is not tracked by Certmonger, return None + """ + pkinit_request_id = certmonger.get_request_id( + {'cert-file': paths.KDC_CERT}) + + if pkinit_request_id is None: + return + + return certmonger.get_request_value(pkinit_request_id, 'ca-name') + + +def get_local_pkinit_state(): + """ + Get the PKINIT feature status locally from the presence of KDC certificate + and certmonger tracking status + :returns: PKINIT status (local, external, full) or None if the feature is + not configured + """ + + if not os.path.exists(paths.KDC_CERT): + return + + pkinit_request_ca = get_pkinit_request_ca() + + if pkinit_request_ca is None or pkinit_request_ca == "IPA": + return PKINIT_ENABLED + elif pkinit_request_ca == "SelfSign": + return PKINIT_DISABLED + else: + raise ValueError( + "Unrecognized certmonger CA: {}".format(pkinit_request_ca)) + + +def record_pkinit_state_ldap(_api): + """ + record PKINIT state in the master's KDC entry in LDAP. The state is + recorded in ipaConfigString attribute as a 'pkinit_status:STATUS' where + STATUS is one of (local, external, full). + + Previous value of the pkinit_status will be overwritten + + :param _api: IPA API instance with established LDAP connection + """ + local_state = get_local_pkinit_state() + + if local_state is None: + raise RuntimeError("PKINIT is not configured on this master") + + hostname = _api.env.host + ldap2 = _api.Backend.ldap2 + + master_dn = _api.Object.server.get_dn_if_exists(hostname) + master_kdc_dn = DN(('cn', 'KDC'), master_dn) + kdc_entry = ldap2.get_entry(master_kdc_dn) + + ipa_config_string = set(kdc_entry.get('ipaConfigString', [])) + lowercased_pkinit_states = [ + s.lower() for s in (PKINIT_ENABLED, PKINIT_DISABLED)] + + for val in list(ipa_config_string): + lowercased_val = val.lower() + if lowercased_val == local_state.lower(): + return + elif lowercased_val in lowercased_pkinit_states: + ipa_config_string.remove(val) + + ipa_config_string.add(local_state) + + kdc_entry['ipaConfigString'] = list(ipa_config_string) + + ldap2.update_entry(kdc_entry) + + class KpasswdInstance(service.SimpleServiceInstance): def __init__(self): service.SimpleServiceInstance.__init__(self, "kadmin") @@ -430,6 +510,8 @@ def setup_pkinit(self): elif self.config_pkinit: self.issue_ipa_ca_signed_pkinit_certs() + record_pkinit_state_ldap(self.api) + def test_anonymous_pkinit(self): with ipautil.private_ccache() as anon_ccache: try: From 8f83cb9d54291b5a4caaa1a6eeb7083bd8a37756 Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Fri, 31 Mar 2017 14:14:11 +0200 Subject: [PATCH 3/8] Use only anonymous PKINIT to fetch armor ccache Since the anonymous principal can only use PKINIT to fetch credential cache it makes no sense to try and use its kerberos key to establish FAST channel. We should also be able to use custom PKINIT anchor for the armoring. https://pagure.io/freeipa/issue/6830 --- ipalib/install/kinit.py | 30 +++++++++++++----------------- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py index 1e4d1a8..fb6caee 100644 --- a/ipalib/install/kinit.py +++ b/ipalib/install/kinit.py @@ -7,7 +7,6 @@ import gssapi -from ipalib.constants import ANON_USER from ipaplatform.paths import paths from ipapython.ipa_log_manager import root_logger from ipapython.ipautil import run @@ -97,29 +96,26 @@ def kinit_password(principal, password, ccache_name, config=None, raise RuntimeError(result.error_output) -def kinit_armor(ccache_name): +def kinit_armor(ccache_name, pkinit_anchor=None): """ - perform kinit to obtain anonymous ticket to be used as armor for FAST. + perform anonymous pkinit to obtain anonymous ticket to be used as armor + for FAST. + + :param ccache_name: location of the armor ccache + :param pkinit_anchor: if not None, the location of PKINIT anchor file to + use. Otherwise the value from Kerberos client library configuration is + used + + :raises: CalledProcessError if the anonymous PKINIT fails """ root_logger.debug("Initializing anonymous ccache") env = {'LC_ALL': 'C'} - # try with the keytab first and then again fallback to try with pkinit in - # case someone decided it is fun to remove Anonymous keys from the entry - # or in future pkinit enabled principal enforce the use of pkinit - try: - # Gssapi does not understand anonymous cred use kinit command instead - args = [paths.KINIT, '-k', '-t', paths.ANON_KEYTAB, - ANON_USER, '-c', ccache_name] - run(args, env=env, raiseonerr=True, capture_error=True) - return - except Exception as e: - root_logger.debug("Failed to init Anonymous keytab: %s", e, - exc_info=True) - - root_logger.debug("Fallback to slower Anonymous PKINIT") args = [paths.KINIT, '-n', '-c', ccache_name] + if pkinit_anchor is not None: + args.extend(['-X', 'X509_anchors=FILE:{}'.format(pkinit_anchor)]) + # this workaround enables us to capture stderr and put it # into the raised exception in case of unsuccessful authentication run(args, env=env, raiseonerr=True, capture_error=True) From 8555005e4201088e2d58a214a42b4b16a09acccd Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Wed, 5 Apr 2017 17:29:26 +0200 Subject: [PATCH 4/8] Stop requesting anonymous keytab and purge all references of it anonymous kinit using keytab never worked so we may safely remove all code that requests/uses it. https://pagure.io/freeipa/issue/6830 --- ipaplatform/base/paths.py | 1 - ipaserver/install/httpinstance.py | 17 ----------------- ipaserver/install/ipa_backup.py | 1 - ipaserver/install/server/upgrade.py | 1 - 4 files changed, 20 deletions(-) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 9cf160f..1908dda 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -50,7 +50,6 @@ class BasePathNamespace(object): HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf" OLD_IPA_KEYTAB = "/etc/httpd/conf/ipa.keytab" HTTP_KEYTAB = "/var/lib/ipa/gssproxy/http.keytab" - ANON_KEYTAB = "/var/lib/ipa/api/anon.keytab" HTTPD_PASSWORD_CONF = "/etc/httpd/conf/password.conf" IDMAPD_CONF = "/etc/idmapd.conf" ETC_IPA = "/etc/ipa" diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index aeb5c5e..0f83bd9 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -30,7 +30,6 @@ import six -from ipalib.constants import IPAAPI_USER from ipalib.install import certmonger from ipaserver.install import service from ipaserver.install import certs @@ -43,7 +42,6 @@ from ipaserver.install import sysupgrade from ipalib import api from ipalib import errors -from ipalib.constants import ANON_USER from ipaplatform.constants import constants from ipaplatform.tasks import tasks from ipaplatform.paths import paths @@ -159,7 +157,6 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) - self.step("retrieving anonymous keytab", self.request_anon_keytab) self.step("configuring Gssproxy", self.configure_gssproxy) self.step("setting up ssl", self.__setup_ssl) if self.ca_is_configured: @@ -305,20 +302,6 @@ def configure_certmonger_renewal_guard(self): if certmonger_stopped: certmonger.stop() - def request_anon_keytab(self): - parent = os.path.dirname(paths.ANON_KEYTAB) - if not os.path.exists(parent): - os.makedirs(parent, 0o755) - - self.clean_previous_keytab(keytab=paths.ANON_KEYTAB) - self.run_getkeytab(self.api.env.ldap_uri, paths.ANON_KEYTAB, ANON_USER) - - pent = pwd.getpwnam(IPAAPI_USER) - os.chmod(parent, 0o700) - os.chown(parent, pent.pw_uid, pent.pw_gid) - - self.set_keytab_owner(keytab=paths.ANON_KEYTAB, owner=IPAAPI_USER) - def create_password_conf(self): """ This is the format of mod_nss pin files. diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py index f71a40b..40f08d7 100644 --- a/ipaserver/install/ipa_backup.py +++ b/ipaserver/install/ipa_backup.py @@ -120,7 +120,6 @@ class Backup(admintool.AdminTool): ) files = ( - paths.ANON_KEYTAB, paths.NAMED_CONF, paths.NAMED_KEYTAB, paths.RESOLV_CONF, diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 927acb0..ea2918f 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1795,7 +1795,6 @@ def upgrade_configuration(): KDC_KEY=paths.KDC_KEY, CACERT_PEM=paths.CACERT_PEM) krb.add_anonymous_principal() - http.request_anon_keytab() setup_pkinit(krb) if not ds_running: From e66bf2d56572f8d9fa82a856e5715d48e98cf28d Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Wed, 5 Apr 2017 15:59:24 +0200 Subject: [PATCH 5/8] test out anonymous PKINIT only when the master is fully configured this is to ensure that we are talking only to our own KDC and not to KDC on remote master that may not support (local) PKINIT functionality and cause errors. https://pagure.io/freeipa/issue/6817 --- ipaserver/install/krbinstance.py | 2 -- ipaserver/install/server/install.py | 6 ++++++ ipaserver/install/server/replicainstall.py | 6 ++++++ 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 2ea177e..9711620 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -533,8 +533,6 @@ def enable_ssl(self): self.steps = [] self.step("installing X509 Certificate for PKINIT", self.setup_pkinit) - self.step("testing anonymous PKINIT", self.test_anonymous_pkinit) - self.start_creation() else: self.issue_selfsigned_pkinit_certs() diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index b360e05..91d8cbc 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -876,6 +876,12 @@ def install(installer): # Make sure the files we crated in /var/run are recreated at startup tasks.configure_tmpfiles() + # Test out anonymous PKINIT. Only inform the users about this when + # `--no-pkinit` was not specified + if not options.no_pkinit: + print("Testing anonymous PKINIT") + krb.test_anonymous_pkinit() + # Everything installed properly, activate ipa service. services.knownservices.ipa.enable() diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index aa8e67f..ae5a5b8 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -1503,6 +1503,12 @@ def install(installer): # remove the extracted replica file remove_replica_info_dir(installer) + # Test out anonymous PKINIT. Only inform the users about this when + # `--no-pkinit` was not specified + if not options.no_pkinit: + print("Testing anonymous PKINIT") + krb.test_anonymous_pkinit() + # Everything installed properly, activate ipa service. services.knownservices.ipa.enable() From 8b83512bad67dfd52d9432f89f6f2917012520a9 Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Fri, 31 Mar 2017 15:15:28 +0200 Subject: [PATCH 6/8] Use local anchor when testing out PKINIT configuration The PKINIT configuration can use a different anchor than the one specified in the Kerberos config file. We should always use KDC's anchor on master to avoid false positive errors. https://pagure.io/freeipa/issue/6830 --- ipaserver/install/krbinstance.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 9711620..6f758f6 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -36,6 +36,7 @@ from ipalib import api, errors from ipalib.constants import ANON_USER from ipalib.install import certmonger +from ipalib.install.kinit import kinit_armor from ipapython.ipa_log_manager import root_logger from ipapython.dn import DN from ipapython.dogtag import KDC_PROFILE @@ -515,9 +516,10 @@ def setup_pkinit(self): def test_anonymous_pkinit(self): with ipautil.private_ccache() as anon_ccache: try: - ipautil.run([paths.KINIT, '-n', '-c', anon_ccache]) - except ipautil.CalledProcessError: - raise RuntimeError("Failed to configure anonymous PKINIT") + kinit_armor(anon_ccache, pkinit_anchor=paths.CACERT_PEM) + except ipautil.CalledProcessError as e: + raise RuntimeError( + "Failed to configure anonymous PKINIT: {}".format(e)) def enable_ssl(self): """ From 3a1e4c60334397a1f3683b43d64c060bbf5c380b Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Fri, 31 Mar 2017 15:15:50 +0200 Subject: [PATCH 7/8] Use local anchor when armoring password requests https://pagure.io/freeipa/issue/6830 --- ipaserver/rpcserver.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 77ed7e1..1618724 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -944,7 +944,7 @@ def kinit(self, principal, password, ccache_name): self.debug('Obtaining armor in ccache %s', armor_path) try: - kinit_armor(armor_path) + kinit_armor(armor_path, pkinit_anchor=paths.CACERT_PEM) except RuntimeError as e: self.error("Failed to obtain armor cache") # We try to continue w/o armor, 2FA will be impacted From b7186d75deaaad8a0bb751eb8ea4bf35172406e9 Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Thu, 6 Apr 2017 18:52:05 +0200 Subject: [PATCH 8/8] Upgrade: configure local/full PKINIT depending on the master status The upgrader has been modified to configure either local or full PKINIT depending on the CA status. Additionally, the new PKINIT configuration will be written to the master's KDC entry. https://pagure.io/freeipa/issue/6830 http://www.freeipa.org/page/V4/Kerberos_PKINIT --- ipaserver/install/server/upgrade.py | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index ea2918f..ad45791 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1485,14 +1485,18 @@ def add_default_caacl(ca): def setup_pkinit(krb): root_logger.info("[Setup PKINIT]") - if not api.Command.ca_is_enabled()['result']: - root_logger.info("CA is not enabled") - return + pkinit_state = krbinstance.get_local_pkinit_state() + ca_is_enabled = api.Command.ca_is_enabled()['result'] - if not os.path.exists(paths.KDC_CERT): - root_logger.info("Requesting PKINIT certificate") - krb.setup_pkinit() + pkinit_absent = pkinit_state is None + if ca_is_enabled and pkinit_state != krbinstance.PKINIT_ENABLED: + krb.issue_ipa_ca_signed_pkinit_certs() + elif pkinit_absent: + krb.issue_selfsigned_pkinit_certs() + + # reconfigure KDC just in case in order to handle potentially broken + # 4.5.0 -> 4.5.1 upgrade path replacevars = dict() replacevars['pkinit_identity'] = 'FILE:{},{}'.format( paths.KDC_CERT,paths.KDC_KEY) @@ -1506,6 +1510,9 @@ def setup_pkinit(krb): krb.start() krb.test_anonymous_pkinit() + # finally publish the resulting PKINIT status in LDAP + krbinstance.record_pkinit_state_ldap(api) + def disable_httpd_system_trust(http): ca_certs = []
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
