CA-less installation fix #650
Conversation
ipaserver/install/httpinstance.py
Outdated
| # We only handle one server cert | ||
| nickname = server_certs[0][0] | ||
| if nickname == 'ipaCert': | ||
| nickname = server_certs[1][0] |
There was a problem hiding this comment.
Removing this is not safe, there are various reasons ipaCert might be present in /etc/httpd/alias even now (previous install of older IPA version, etc.)
ipaserver/install/httpinstance.py
Outdated
| @@ -441,7 +446,8 @@ def __import_ca_certs(self): | |||
| def __publish_ca_cert(self): | |||
| ca_db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR, | |||
| subject_base=self.subject_base) | |||
| ca_db.publish_ca_cert(paths.CA_CRT) | |||
| ca_nickname = ca_db.find_root_cert(self.cert_nickname)[-1] | |||
| ca_db.export_pem_cert(ca_nickname, paths.CA_CRT) | |||
There was a problem hiding this comment.
If you add this line at the end of __setup_ssl():
self.cacert_name = db.cacert_nameYou can replace this change and all of the other changes with this single line here, above ca_db.publish_ca_cert():
ca_db.cacert_name = self.cacert_nameThere was a problem hiding this comment.
Ah, right, I did not realize this will be set to the correct value during the initialization from pkcs12.
stlaz
force-pushed
the
caless_fix
branch
2 times, most recently
from
5b8c0f3
to
1ab199a
Compare
|
Fixed according to the comments, thanks. |
|
@stlaz, |
|
Huh, I did not notice, thanks. Removing it, I could have removed the big fat comment about why not to use it. |
|
@stlaz, please rebase. |
During CA-less installation, we initialize the HTTPD alias database from a pkcs12 file. This means there's going to be different nicknames to the added certificates. Store the CA certificate nickname in HTTPInstance__setup_ssl() to be able to correctly export it later. https://pagure.io/freeipa/issue/6806
|
I found additional bugs in CA-less (replica) install, but with this PR, |
HonzaCholasta
added
ack
|
Actually, there is a pylint failure introduced by this PR: |
NSSDatabase.publish_ca_cert() is not used anymore, remove it. https://pagure.io/freeipa/issue/6806
|
Sorry, must have screwed up the rebase. |
|
@stlaz, please also provide a version of this PR rebased on ipa-4-5. |
|
Done in #685 |
These patches fix the CA-less installation by guessing the names for CA and server-cert nicknames in /etc/httpd/alias. The fix is not very nice since it's guessing but I am not sure if there's anything else we can do at this point.
Also,
HTTPInstance.start/stop_tracking_certificateswould probably not need the guessing since it's only relevant for CA-full installations where we know the server-cert nickname isServer-Certso I can replace it there if you think that'd be better.