Attachment 311595 Details for Bug 452402 – Rework the way PKCS#12 files are imported

[patch] Rework the way PKCS#12 files are imported

freeipa-58-pkcs12.patch (text/plain), 29.66 KB, created by Rob Crittenden on 2008-07-11 15:46:44 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Rob Crittenden

Created: 2008-07-11 15:46:44 UTC

Size: 29.66 KB

patch

obsolete

>From 6569891f17962d6dda9f257ca2eae1fa2901d5dd Mon Sep 17 00:00:00 2001
>From: Rob Crittenden <rcrit@ipa.greyoak.com>
>Date: Fri, 11 Jul 2008 11:34:29 -0400
>Subject: [PATCH] Rework the way SSL certificates are imported from PKCS#12 files.
>
>Add the ability to provide PKCS#12 files during initial installation
>Add the ability to provide PKCS#12 files when preparing a replica
>Correct some issues with ipa-server-certinstall
>
>452402
>---
> ipa-server/ipa-install/ipa-replica-install    |    7 ++-
> ipa-server/ipa-install/ipa-replica-prepare    |   75 ++++++++++++++++++++----
> ipa-server/ipa-install/ipa-server-certinstall |   61 +++++++++----------
> ipa-server/ipa-install/ipa-server-install     |   80 ++++++++++++++++++++-----
> ipa-server/ipaserver/certs.py                 |   53 ++++++++++++----
> ipa-server/ipaserver/dsinstance.py            |    9 +++-
> ipa-server/ipaserver/httpinstance.py          |   13 ++++-
> ipa-server/ipaserver/installutils.py          |   18 ++++++
> ipa-server/man/ipa-replica-prepare.1          |   13 ++++
> ipa-server/man/ipa-server-certinstall.1       |    9 +++-
> ipa-server/man/ipa-server-install.1           |   15 ++++-
> 11 files changed, 276 insertions(+), 77 deletions(-)
>
>diff --git a/ipa-server/ipa-install/ipa-replica-install b/ipa-server/ipa-install/ipa-replica-install
>index a2798bb..31fd4cc 100644
>--- a/ipa-server/ipa-install/ipa-replica-install
>+++ b/ipa-server/ipa-install/ipa-replica-install
>@@ -103,7 +103,7 @@ def install_ds(config):
>     pkcs12_info = None
>     if ipautil.file_exists(config.dir + "/dscert.p12"):
>         pkcs12_info = (config.dir + "/dscert.p12",
>-                       config.dir + "/pwdfile.txt")
>+                       config.dir + "/dirsrv_pin.txt")
> 
>     ds = dsinstance.DsInstance()
>     ds.create_instance(config.ds_user, config.realm_name, config.host_name, config.domain_name, config.dirman_password, pkcs12_info)
>@@ -125,7 +125,7 @@ def install_http(config):
>     pkcs12_info = None
>     if ipautil.file_exists(config.dir + "/httpcert.p12"):
>         pkcs12_info = (config.dir + "/httpcert.p12",
>-                       config.dir + "/pwdfile.txt")
>+                       config.dir + "/http_pin.txt")
> 
>     http = httpinstance.HTTPInstance()
>     http.create_instance(config.realm_name, config.host_name, config.domain_name, False, pkcs12_info)
>@@ -174,6 +174,9 @@ def main():
>     options, filename = parse_options()
>     installutils.standard_logging_setup("/var/log/ipareplica-install.log", options.debug)
> 
>+    if not ipautil.file_exists(filename):
>+        sys.exit("Replica file %s does not exist" % filename)
>+
>     check_dirsrv()
> 
>     top_dir, dir = expand_info(filename)
>diff --git a/ipa-server/ipa-install/ipa-replica-prepare b/ipa-server/ipa-install/ipa-replica-prepare
>index 8b5ff22..599ef53 100644
>--- a/ipa-server/ipa-install/ipa-replica-prepare
>+++ b/ipa-server/ipa-install/ipa-replica-prepare
>@@ -40,8 +40,26 @@ def parse_options():
>     parser = OptionParser(version=version.VERSION)
> 
>     args = ipa.config.init_config(sys.argv)
>+
>+    parser.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12", 
>+                      help="install certificate for the directory server")
>+    parser.add_option("--http_pkcs12", dest="http_pkcs12", 
>+                      help="install certificate for the http server")
>+    parser.add_option("--dirsrv_pin", dest="dirsrv_pin", 
>+                      help="PIN for the Directory Server PKCS#12 file")
>+    parser.add_option("--http_pin", dest="http_pin", 
>+                      help="PIN for the Apache Server PKCS#12 file")
>+
>     options, args = parser.parse_args(args)
> 
>+    # If any of the PKCS#12 options are selected, all are required. Create a
>+    # list of the options and count it to enforce that all are required without
>+    # having a huge set of it blocks.
>+    pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin]
>+    cnt = pkcs12.count(None)
>+    if cnt > 0 and cnt < 4:
>+        parser.error("error: All PKCS#12 options are required if any are used.")
>+   
>     if len(args) != 2:
>         parser.error("must provide the fully-qualified name of the replica")
> 
>@@ -79,10 +97,11 @@ def check_ipa_configuration(realm_name):
>         logging.error("could not find directory instance: %s" % config_dir)
>         sys.exit(1)
> 
>-def export_certdb(realm_name, ds_dir, dir, fname, subject):
>+def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, subject):
>     """realm is the kerberos realm for the IPA server.
>        ds_dir is the location of the master DS we are creating a replica for.
>        dir is the location of the files for the replica we are creating.
>+       passwd_fname is the file containing the PKCS#12 password
>        fname is the filename of the PKCS#12 file for this cert (minus the .p12).
>        subject is the subject of the certificate we are creating
>     """
>@@ -95,10 +114,6 @@ def export_certdb(realm_name, ds_dir, dir, fname, subject):
>         raise e
> 
>     pkcs12_fname = dir + "/" + fname + ".p12"
>-    passwd_fname = dir + "/pwdfile.txt"
>-    fd = open(passwd_fname, "w")
>-    fd.write("\n")
>-    fd.close()
> 
>     try:
>         ca.export_pkcs12(pkcs12_fname, passwd_fname, "Server-Cert")
>@@ -150,6 +165,9 @@ def main():
> 
>     replica_fqdn = args[1]
> 
>+    if not ipautil.file_exists("/usr/share/ipa/serial") and not options.dirsrv_pin:
>+        sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.")
>+
>     print "Determining current realm name"
>     realm_name = get_realm_name()
>     if realm_name is None:
>@@ -177,10 +195,47 @@ def main():
>     dir = top_dir + "/realm_info"
>     os.mkdir(dir, 0700)
> 
>-    print "Creating SSL certificate for the Directory Server"
>-    export_certdb(realm_name, ds_dir, dir, "dscert", "cn=%s,ou=Fedora Directory Server" % replica_fqdn)
>-    print "Creating SSL certificate for the Web Server"
>-    export_certdb(realm_name, ds_dir, dir, "httpcert", "cn=%s,ou=Apache Web Server" % replica_fqdn)
>+    if options.dirsrv_pin:
>+        passwd = options.dirsrv_pin
>+    else:
>+        passwd = ""
>+
>+    passwd_fname = dir + "/dirsrv_pin.txt"
>+    fd = open(passwd_fname, "w")
>+    fd.write("%s\n" % passwd)
>+    fd.close()
>+
>+    if options.dirsrv_pkcs12:
>+        print "Copying SSL certificate for the Directory Server from %s" % options.dirsrv_pkcs12
>+        try:
>+            shutil.copy(options.dirsrv_pkcs12, dir + "/dscert.p12") 
>+        except IOError, e:
>+            print "Copy failed %s" %  e
>+            sys.exit(1)
>+    else:
>+        print "Creating SSL certificate for the Directory Server"
>+        export_certdb(realm_name, ds_dir, dir, passwd_fname, "dscert", "cn=%s,ou=Fedora Directory Server" % replica_fqdn)
>+
>+    if options.http_pin:
>+        passwd = options.http_pin
>+    else:
>+        passwd = ""
>+
>+    passwd_fname = dir + "/http_pin.txt"
>+    fd = open(passwd_fname, "w")
>+    fd.write("%s\n" % passwd)
>+    fd.close()
>+
>+    if options.http_pkcs12:
>+        print "Copying SSL certificate for the Web Server from %s" % options.http_pkcs12
>+        try:
>+            shutil.copy(options.http_pkcs12, dir + "/httpcert.p12") 
>+        except IOError, e:
>+            print "Copy failed %s" %  e
>+            sys.exit(1)
>+    else:
>+        print "Creating SSL certificate for the Web Server"
>+        export_certdb(realm_name, ds_dir, dir, passwd_fname, "httpcert", "cn=%s,ou=Apache Web Server" % replica_fqdn)
>     print "Copying additional files"
>     copy_files(realm_name, dir)
>     print "Finalizing configuration"
>@@ -195,8 +250,6 @@ def main():
> try:
>     if not os.geteuid()==0:
>         sys.exit("\nYou must be root to run this script.\n")
>-    if not ipautil.file_exists("/usr/share/ipa/serial"):
>-        sys.exit("The replica must be created on the primary IPA server.")
> 
>     main()
> except SystemExit, e:
>diff --git a/ipa-server/ipa-install/ipa-server-certinstall b/ipa-server/ipa-install/ipa-server-certinstall
>index 89f89a5..835af0a 100644
>--- a/ipa-server/ipa-install/ipa-server-certinstall
>+++ b/ipa-server/ipa-install/ipa-server-certinstall
>@@ -21,6 +21,7 @@
> import sys
> import os
> import pwd
>+import tempfile
> 
> import traceback
> 
>@@ -40,12 +41,18 @@ def parse_options():
>                       default=False, help="install certificate for the directory server")
>     parser.add_option("-w", "--http", dest="http", action="store_true",
>                       default=False, help="install certificate for the http server")
>-
>+    parser.add_option("--dirsrv_pin", dest="dirsrv_pin",
>+                      help="The password of the Directory Server PKCS#12 file")
>+    parser.add_option("--http_pin", dest="http_pin",
>+                      help="The password of the Apache Server PKCS#12 file")
> 
>     options, args = parser.parse_args()
> 
>     if not options.dirsrv and not options.http:
>         parser.error("you must specify dirsrv and/or http")
>+    if ((options.dirsrv and not options.dirsrv_pin) or
>+            (options.http and not options.http_pin)):
>+        parser.error("you must provide the password for the PKCS#12 file")
> 
>     if len(args) != 1:
>         parser.error("you must provide a pkcs12 filename")
>@@ -62,30 +69,13 @@ def set_ds_cert_name(cert_name, dm_password):
> 
>     conn.unbind()
> 
>-def set_http_cert_name(cert_name):
>-    # find the existing cert name
>-    fd = open(httpinstance.NSS_CONF)
>-    nick_name = None
>-    file = []
>-    for line in fd:
>-        if "NSSNickname" in line:
>-            file.append('NSSNickname "%s"\n' % cert_name)
>-        else:
>-            file.append(line)
>-    fd.close()
>-
>-    fd = open(httpinstance.NSS_CONF, "w")
>-    fd.write("".join(file))
>-    fd.close()
>-    
>-        
> def choose_server_cert(server_certs):
>     print "Please select the certificate to use:"
>     num = 1
>     for cert in server_certs:
>         print "%d. %s" % (num, cert[0])
>         num += 1
>-        
>+
>     cert_num = 0
>     while 1:
>         cert_input = raw_input("Certificate number [1]: ")
>@@ -104,17 +94,24 @@ def choose_server_cert(server_certs):
>             cert_num = num - 1
>             break
>     return server_certs[cert_num]
>-    
> 
>-def import_cert(dirname, pkcs12_fname):
>+
>+def import_cert(dirname, pkcs12_fname, pkcs12_passwd, db_password):
>     cdb = certs.CertDB(dirname)
>-    cdb.create_passwd_file(False)
>+    cdb.create_passwd_file(db_password)
>     cdb.create_certdbs()
>+    [pw_fd, pw_name] = tempfile.mkstemp()
>+    os.write(pw_fd, pkcs12_passwd)
>+    os.close(pw_fd)
>+
>     try:
>-        cdb.import_pkcs12(pkcs12_fname)
>-    except RuntimeError, e:
>-        print str(e)
>-        sys.exit(1)
>+        try:
>+            cdb.import_pkcs12(pkcs12_fname, pw_name)
>+        except RuntimeError, e:
>+            print str(e)
>+            sys.exit(1)
>+    finally:
>+        os.remove(pw_name)
> 
>     server_certs = cdb.find_server_certs()
>     if len(server_certs) == 0:
>@@ -137,14 +134,17 @@ def main():
>             dm_password = getpass.getpass("Directory Manager password: ")
>             realm = get_realm_name()
>             dirname = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm))
>-            server_cert = import_cert(dirname, pkcs12_fname)
>+            fd = open(dirname + "/pwdfile.txt")
>+            passwd = fd.read()
>+            fd.close()
>+
>+            server_cert = import_cert(dirname, pkcs12_fname, options.dirsrv_pin, passwd)
>             set_ds_cert_name(server_cert[0], dm_password)
> 
>         if options.http:
>             dirname = httpinstance.NSS_DIR
>-            server_cert = import_cert(dirname, pkcs12_fname)
>-            print server_cert
>-            set_http_cert_name(server_cert[0])
>+            server_cert = import_cert(dirname, pkcs12_fname, options.http_pin, "")
>+            installutils.set_directive(httpinstance.NSS_CONF, 'NSSNickname', server_cert[0])
> 
>             # Fix the database permissions
>             os.chmod(dirname + "/cert8.db", 0640)
>@@ -163,5 +163,4 @@ def main():
> 
>     return 0
> 
>-    
> sys.exit(main())
>diff --git a/ipa-server/ipa-install/ipa-server-install b/ipa-server/ipa-install/ipa-server-install
>index a48fca8..79d64bf 100644
>--- a/ipa-server/ipa-install/ipa-server-install
>+++ b/ipa-server/ipa-install/ipa-server-install
>@@ -50,6 +50,8 @@ from ipaserver.installutils import *
> from ipa import sysrestore
> from ipa.ipautil import *
> 
>+pw_name = None
>+
> def parse_options():
>     parser = OptionParser(version=version.VERSION)
>     parser.add_option("-u", "--user", dest="ds_user",
>@@ -76,6 +78,14 @@ def parse_options():
>                       default=False, help="uninstall an existing installation")
>     parser.add_option("-N", "--no-ntp", dest="conf_ntp", action="store_false",
>                       help="do not configure ntp", default=True)
>+    parser.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12", 
>+                      help="PKCS#12 file containing the Directory Server SSL certificate")
>+    parser.add_option("--http_pkcs12", dest="http_pkcs12", 
>+                      help="PKCS#12 file containing the Apache Server SSL certificate")
>+    parser.add_option("--dirsrv_pin", dest="dirsrv_pin", 
>+                      help="The password of the Directory Server PKCS#12 file")
>+    parser.add_option("--http_pin", dest="http_pin", 
>+                      help="The password of the Apache Server PKCS#12 file")
> 
>     options, args = parser.parse_args()
> 
>@@ -89,6 +99,14 @@ def parse_options():
>             not options.dm_password or not options.admin_password):
>             parser.error("error: In unattended mode you need to provide at least -u, -r, -p and -a options")
> 
>+    # If any of the PKCS#12 options are selected, all are required. Create a
>+    # list of the options and count it to enforce that all are required without
>+    # having a huge set of it blocks.
>+    pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin]
>+    cnt = pkcs12.count(None)
>+    if cnt > 0 and cnt < 4:
>+        parser.error("error: All PKCS#12 options are required if any are used.")
>+
>     return options
> 
> def signal_handler(signum, frame):
>@@ -312,6 +330,7 @@ def uninstall():
> 
> def main():
>     global ds
>+    global pw_name
>     ds = None
> 
>     options = parse_options()
>@@ -486,17 +505,38 @@ def main():
>         ntp = ipaserver.ntpinstance.NTPInstance(fstore)
>         ntp.create_instance()
> 
>+    if options.dirsrv_pin:
>+        [pw_fd, pw_name] = tempfile.mkstemp()
>+        os.write(pw_fd, options.dirsrv_pin)
>+        os.close(pw_fd)
>+
>     # Create a directory server instance
>     ds = ipaserver.dsinstance.DsInstance()
>-    ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password)
>+    if options.dirsrv_pkcs12:
>+        pkcs12_info = (options.dirsrv_pkcs12, pw_name)
>+        ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, pkcs12_info)
>+        os.remove(pw_name)
>+    else:
>+        ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password)
> 
>     # Create a kerberos instance
>     krb = ipaserver.krbinstance.KrbInstance(fstore)
>     krb.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, master_password)
> 
>     # Create a HTTP instance
>+
>+    if options.http_pin:
>+        [pw_fd, pw_name] = tempfile.mkstemp()
>+        os.write(pw_fd, options.http_pin)
>+        os.close(pw_fd)
>+
>     http = ipaserver.httpinstance.HTTPInstance(fstore)
>-    http.create_instance(realm_name, host_name, domain_name)
>+    if options.http_pkcs12:
>+        pkcs12_info = (options.http_pkcs12, pw_name)
>+        http.create_instance(realm_name, host_name, domain_name, False, pkcs12_info)
>+        os.remove(pw_name)
>+    else:
>+        http.create_instance(realm_name, host_name, domain_name, False)
> 
>     # Create the config file
>     fstore.backup_file("/etc/ipa/ipa.conf")
>@@ -563,20 +603,30 @@ def main():
>         print "\t   and servers for correct operation. You should consider enabling ntpd."
> 
>     print ""
>-    print "Be sure to back up the CA certificate stored in " + ipaserver.dsinstance.config_dirname(ds.serverid) + "cacert.p12"
>-    print "The password for this file is in " + ipaserver.dsinstance.config_dirname(ds.serverid) + "pwdfile.txt"
>+    if not options.dirsrv_pkcs12:
>+        print "Be sure to back up the CA certificate stored in " + ipaserver.dsinstance.config_dirname(ds.serverid) + "cacert.p12"
>+        print "The password for this file is in " + ipaserver.dsinstance.config_dirname(ds.serverid) + "pwdfile.txt"
>+    else:
>+        print "In order for Firefox autoconfiguration to work you will need to"
>+        print "use a SSL signing certificate. See the IPA documentation for more details."
>+        print "You also need to install a PEM copy of the HTTP issuing CA into"
>+        print "/usr/share/ipa/html/ca.crt"
> 
>     return 0
> 
> try:
>-    sys.exit(main())
>-except SystemExit, e:
>-    sys.exit(e)
>-except Exception, e:
>-    message = "Unexpected error - see ipaserver-install.log for details:\n %s" % str(e)
>-    print message
>-    message = str(e)
>-    for str in traceback.format_tb(sys.exc_info()[2]):
>-        message = message + "\n" + str
>-    logging.debug(message)
>-    sys.exit(1)
>+    try:
>+        sys.exit(main())
>+    except SystemExit, e:
>+        sys.exit(e)
>+    except Exception, e:
>+        message = "Unexpected error - see ipaserver-install.log for details:\n %s" % str(e)
>+        print message
>+        message = str(e)
>+        for str in traceback.format_tb(sys.exc_info()[2]):
>+            message = message + "\n" + str
>+        logging.debug(message)
>+        sys.exit(1)
>+finally:
>+    if pw_name and ipautil.file_exists(pw_name):
>+        os.remove(pw_name)
>diff --git a/ipa-server/ipaserver/certs.py b/ipa-server/ipaserver/certs.py
>index 12fb354..ca2db22 100644
>--- a/ipa-server/ipaserver/certs.py
>+++ b/ipa-server/ipaserver/certs.py
>@@ -128,13 +128,13 @@ class CertDB(object):
>         f.write(self.gen_password())
>         self.set_perms(self.noise_fname)
> 
>-    def create_passwd_file(self, passwd=True):
>+    def create_passwd_file(self, passwd=None):
>         ipautil.backup_file(self.passwd_fname)
>         f = open(self.passwd_fname, "w")
>-        if passwd:
>-            f.write(self.gen_password())
>+        if passwd is not None:
>+            f.write("%s\n" % passwd)
>         else:
>-            f.write("\n")
>+            f.write(self.gen_password())
>         f.close()
>         self.set_perms(self.passwd_fname)
> 
>@@ -159,14 +159,14 @@ class CertDB(object):
>                            "-z", self.noise_fname,
>                            "-f", self.passwd_fname])
> 
>-    def export_ca_cert(self, create_pkcs12=False):
>+    def export_ca_cert(self, nickname, create_pkcs12=False):
>         """create_pkcs12 tells us whether we should create a PKCS#12 file
>            of the CA or not. If we are running on a replica then we won't
>            have the private key to make a PKCS#12 file so we don't need to
>            do that step."""
>         # export the CA cert for use with other apps
>         ipautil.backup_file(self.cacert_fname)
>-        self.run_certutil(["-L", "-n", "CA certificate",
>+        self.run_certutil(["-L", "-n", nickname,
>                            "-a",
>                            "-o", self.cacert_fname])
>         self.set_perms(self.cacert_fname)
>@@ -174,7 +174,7 @@ class CertDB(object):
>             ipautil.backup_file(self.pk12_fname)
>             ipautil.run(["/usr/bin/pk12util", "-d", self.secdir,
>                          "-o", self.pk12_fname,
>-                         "-n", "CA certificate",
>+                         "-n", self.cacert_name,
>                          "-w", self.passwd_fname,
>                          "-k", self.passwd_fname])
>             self.set_perms(self.pk12_fname)
>@@ -296,7 +296,7 @@ class CertDB(object):
>         f.close()
>         self.set_perms(self.pin_fname)
> 
>-    def trust_root_cert(self, nickname):
>+    def find_root_cert(self, nickname):
>         p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir,
>                               "-O", "-n", nickname], stdout=subprocess.PIPE)
> 
>@@ -305,6 +305,11 @@ class CertDB(object):
> 
>         root_nickname = re.match('\ *"(.*)".*', chain[0]).groups()[0]
> 
>+        return root_nickname
>+
>+    def trust_root_cert(self, nickname):
>+        root_nickname = self.find_root_cert(nickname)
>+
>         self.run_certutil(["-M", "-n", root_nickname,
>                            "-t", "CT,CT,"])
> 
>@@ -350,28 +355,50 @@ class CertDB(object):
>                      "-k", self.passwd_fname,
>                      "-w", pkcs12_pwd_fname])
> 
>-    def create_self_signed(self, passwd=True):
>+    def create_self_signed(self, passwd=None):
>         self.create_noise_file()
>         self.create_passwd_file(passwd)
>         self.create_certdbs()
>         self.create_ca_cert()
>-        self.export_ca_cert(True)
>+        self.export_ca_cert(self.cacert_name, True)
>         self.create_pin_file()
> 
>-    def create_from_cacert(self, cacert_fname, passwd=False):
>+    def create_from_cacert(self, cacert_fname, passwd=""):
>         self.create_noise_file()
>         self.create_passwd_file(passwd)
>         self.create_certdbs()
>         self.load_cacert(cacert_fname)
> 
>-    def create_from_pkcs12(self, pkcs12_fname, pkcs12_pwd_fname, nickname="CA certificate", passwd=True):
>+    def create_from_pkcs12(self, pkcs12_fname, pkcs12_pwd_fname, passwd=None):
>+        """Create a new NSS database using the certificates in a PKCS#12 file.
>+
>+           pkcs12_fname: the filename of the PKCS#12 file
>+           pkcs12_pwd_fname: the file containing the pin for the PKCS#12 file
>+           nickname: the nickname/friendly-name of the cert we are loading
>+           passwd: The password to use for the new NSS database we are creating
>+        """
>         self.create_noise_file()
>         self.create_passwd_file(passwd)
>         self.create_certdbs()
>         self.import_pkcs12(pkcs12_fname, pkcs12_pwd_fname)
>+        server_certs = self.find_server_certs()
>+        if len(server_certs) == 0:
>+            raise RuntimeError("Could not find a suitable server cert in import in %s" % pkcs12_fname)
>+
>+        # We only handle one server cert
>+        nickname = server_certs[0][0]
>+
>+        self.cacert_name = self.find_root_cert(nickname)
>         self.trust_root_cert(nickname)
>         self.create_pin_file()
>-        self.export_ca_cert(False)
>+        self.export_ca_cert(self.cacert_name, False)
>+
>+        # This file implies that we have our own self-signed CA. Ensure
>+        # that it no longer exists (from previous installs, for example).
>+        try:
>+            os.remove("/usr/share/ipa/serial")
>+        except:
>+            pass
> 
>     def backup_files(self):
>         self.fstore.backup_file(self.noise_fname)
>diff --git a/ipa-server/ipaserver/dsinstance.py b/ipa-server/ipaserver/dsinstance.py
>index 540ff68..d313b4e 100644
>--- a/ipa-server/ipaserver/dsinstance.py
>+++ b/ipa-server/ipaserver/dsinstance.py
>@@ -324,9 +324,16 @@ class DsInstance(service.Service):
>         ca = certs.CertDB(dirname)
>         if self.pkcs12_info:
>             ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1])
>+            server_certs = ca.find_server_certs()
>+            if len(server_certs) == 0:
>+                raise RuntimeError("Could not find a suitable server cert in import in %s" % pkcs12_info[0])
>+
>+            # We only handle one server cert
>+            nickname = server_certs[0][0]
>         else:
>             ca.create_self_signed()
>             ca.create_server_cert("Server-Cert", "cn=%s,ou=Fedora Directory Server" % self.host_name)
>+            nickname = "Server-Cert"
> 
>         conn = ipaldap.IPAdmin("127.0.0.1")
>         conn.simple_bind_s("cn=directory manager", self.dm_password)
>@@ -347,7 +354,7 @@ class DsInstance(service.Service):
> 
>         entry.setValues("objectclass", "top", "nsEncryptionModule")
>         entry.setValues("cn", "RSA")
>-        entry.setValues("nsSSLPersonalitySSL", "Server-Cert")
>+        entry.setValues("nsSSLPersonalitySSL", nickname)
>         entry.setValues("nsSSLToken", "internal (software)")
>         entry.setValues("nsSSLActivation", "on")
> 
>diff --git a/ipa-server/ipaserver/httpinstance.py b/ipa-server/ipaserver/httpinstance.py
>index c5f8b50..f5a903b 100644
>--- a/ipa-server/ipaserver/httpinstance.py
>+++ b/ipa-server/ipaserver/httpinstance.py
>@@ -145,6 +145,9 @@ class HTTPInstance(service.Service):
>         if installutils.update_file(NSS_CONF, '8443', '443') != 0:
>             print "Updating port in %s failed." % NSS_CONF
> 
>+    def __set_mod_nss_nickname(self, nickname):
>+        installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)
>+
>     def __add_include(self):
>         """This should run after __set_mod_nss_port so is already backed up"""
>         if installutils.update_file(NSS_CONF, '</VirtualHost>', 'Include conf.d/ipa-rewrite.conf\n</VirtualHost>') != 0:
>@@ -154,7 +157,15 @@ class HTTPInstance(service.Service):
>         ds_ca = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(self.realm)))
>         ca = certs.CertDB(NSS_DIR)
>         if self.pkcs12_info:
>-            ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], passwd=False)
>+            ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], passwd="")
>+            server_certs = ca.find_server_certs()
>+            if len(server_certs) == 0:
>+                raise RuntimeError("Could not find a suitable server cert in import in %s" % pkcs12_info[0])
>+
>+            # We only handle one server cert
>+            nickname = server_certs[0][0]
>+
>+            self.__set_mod_nss_nickname(nickname)
>         else:
>             ca.create_from_cacert(ds_ca.cacert_fname)
>             ca.create_server_cert("Server-Cert", "cn=%s,ou=Apache Web Server" % self.fqdn, ds_ca)
>diff --git a/ipa-server/ipaserver/installutils.py b/ipa-server/ipaserver/installutils.py
>index ee3c1c7..674cf7d 100644
>--- a/ipa-server/ipaserver/installutils.py
>+++ b/ipa-server/ipaserver/installutils.py
>@@ -200,6 +200,24 @@ def update_file(filename, orig, subst):
>         print "File %s doesn't exist." % filename
>         return 1
> 
>+def set_directive(filename, directive, value):
>+    """Set a name/value pair directive in a configuration file.
>+
>+       This has only been tested with nss.conf
>+    """
>+    fd = open(filename)
>+    file = []
>+    for line in fd:
>+        if directive in line:
>+            file.append('%s "%s"\n' % (directive, value))
>+        else:
>+            file.append(line)
>+    fd.close()
>+
>+    fd = open(filename, "w")
>+    fd.write("".join(file))
>+    fd.close()
>+
> def kadmin(command):
>     ipautil.run(["/usr/kerberos/sbin/kadmin.local", "-q", command])
> 
>diff --git a/ipa-server/man/ipa-replica-prepare.1 b/ipa-server/man/ipa-replica-prepare.1
>index b04bb66..3ebf1c1 100644
>--- a/ipa-server/man/ipa-replica-prepare.1
>+++ b/ipa-server/man/ipa-replica-prepare.1
>@@ -29,6 +29,19 @@ A replica can only be created on an IPA server installed with ipa\-server\-insta
> You must provide the fully\-qualified hostname of the machine you want to install the replica on and a host\-specific replica_file will be created. It is host\-specific because SSL server certificates are generated as part of the process and they are specific to a particular hostname.
> 
> Once the file has been created it will be named replica\-hostname. This file can then be moved across the network to the target machine and a new IPA replica setup by running ipa\-replica\-install replica\-hostname.
>+.SH "OPTIONS"
>+.TP 
>+\fB\-\-dirsrv_pkcs12\fR=\fIFILE\fR
>+PKCS#12 file containing the Directory Server SSL Certificate
>+.TP 
>+\fB\-\-http_pkcs12\fR=\fIFILE\fR
>+PKCS#12 file containing the Apache Server SSL Certificate
>+.TP 
>+\fB\-\-dirsrv_pin\fR=\fIDIRSRV_PIN\fR
>+The password of the Directory Server PKCS#12 file
>+.TP 
>+\fB\-\-http_pin\fR=\fIHTTP_PIN\fR
>+The password of the Apache Server PKCS#12 file
> .SH "EXIT STATUS"
> 0 if the command was successful
> 
>diff --git a/ipa-server/man/ipa-server-certinstall.1 b/ipa-server/man/ipa-server-certinstall.1
>index 9506769..0e1485f 100644
>--- a/ipa-server/man/ipa-server-certinstall.1
>+++ b/ipa-server/man/ipa-server-certinstall.1
>@@ -26,8 +26,9 @@ Replace the current SSL Directory and/or Apache server certificate(s) with the c
> 
> PKCS#12 is a file format used to safely transport SSL certificates and public/private keypairs.
> 
>-They may be generated and managed using the NSS pk12util command or the OpeNSSL pkcs12 command.
>+They may be generated and managed using the NSS pk12util command or the OpenSSL pkcs12 command.
> 
>+The service(s) are not automatically restarted. In order to use the newly installed certificate(s) you will need to manually restart the Directory and/or Apache servers.
> .SH "OPTIONS"
> .TP 
> \fB\-d\fR, \fB\-\-dirsrv\fR
>@@ -35,6 +36,12 @@ Install the certificate on the Directory Server
> .TP 
> \fB\-w\fR, \fB\-\-http\fR
> Install the certificate in the Apache Web Server
>+.TP 
>+\fB\-\-dirsrv_pin\fR=\fIDIRSRV_PIN\fR
>+The password of the Directory Server PKCS#12 file
>+.TP 
>+\fB\-\-http_pin\fR=\fIHTTP_PIN\fR
>+The password of the Apache Server PKCS#12 file
> .SH "EXIT STATUS"
> 0 if the installation was successful
> 
>diff --git a/ipa-server/man/ipa-server-install.1 b/ipa-server/man/ipa-server-install.1
>index 9fa06c7..c03c290 100644
>--- a/ipa-server/man/ipa-server-install.1
>+++ b/ipa-server/man/ipa-server-install.1
>@@ -60,10 +60,21 @@ Generate a DNS zone file that contains auto\-discovery records for this IPA serv
> .TP 
> \fB\-n\fR, \fB\-\-no\-ntp\fR
> Do not configure NTP
>-<fb>\-U\fR, \fB\-\-uninstall\fR
>+\fB\-U\fR, \fB\-\-uninstall\fR
> Uninstall an existing IPA installation
>+.TP 
>+\fB\-\-dirsrv_pkcs12\fR=\fIFILE\fR
>+PKCS#12 file containing the Directory Server SSL Certificate
>+.TP 
>+\fB\-\-http_pkcs12\fR=\fIFILE\fR
>+PKCS#12 file containing the Apache Server SSL Certificate
>+.TP 
>+\fB\-\-dirsrv_pin\fR=\fIDIRSRV_PIN\fR
>+The password of the Directory Server PKCS#12 file
>+.TP 
>+\fB\-\-http_pin\fR=\fIHTTP_PIN\fR
>+The password of the Apache Server PKCS#12 file
> .PP 
>-By default the full name, home Directory and login shell and username fields are displayed.
> .SH "EXIT STATUS"
> 0 if the installation was successful
> 
>-- 
>1.5.4.1
>

Actions: View | Diff

Attachments on bug 452402: 311595 | 312683