|
 |
5144c6 |
From 9ded9e2573a00c388533f2a09365c499a4e2961e Mon Sep 17 00:00:00 2001
|
|
|
5144c6 |
From: Alexander Scheel <ascheel@redhat.com>
|
|
|
5144c6 |
Date: Fri, 19 Jun 2020 08:48:56 -0400
|
|
|
5144c6 |
Subject: [PATCH] Specify cert_paths when calling PKIConnection
|
|
|
5144c6 |
|
|
|
5144c6 |
PKIConnection now defaults to specifying verify=True. We've introduced
|
|
|
5144c6 |
a new parameter, cert_paths, to specify additional paths (directories or
|
|
|
5144c6 |
files) to load as certificates. Specify the IPA CA certificate file so
|
|
|
5144c6 |
we can guarantee connections succeed and validate the peer's certificate.
|
|
|
5144c6 |
|
|
|
5144c6 |
Point to IPA CA certificate during pkispawn
|
|
|
5144c6 |
|
|
|
5144c6 |
Bump pki_version to 10.9.0-0.4 (aka -b2)
|
|
|
5144c6 |
|
|
|
5144c6 |
Fixes: https://pagure.io/freeipa/issue/8379
|
|
|
5144c6 |
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849155
|
|
|
5144c6 |
Related: https://github.com/dogtagpki/pki/pull/443
|
|
|
5144c6 |
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1426572
|
|
|
5144c6 |
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
|
|
5144c6 |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
5144c6 |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
5144c6 |
---
|
|
|
5144c6 |
freeipa.spec.in | 6 +++---
|
|
|
5144c6 |
install/tools/ipa-pki-wait-running.in | 3 ++-
|
|
|
5144c6 |
ipaserver/install/cainstance.py | 7 +++++++
|
|
|
5144c6 |
ipaserver/install/dogtaginstance.py | 3 ++-
|
|
|
5144c6 |
ipaserver/plugins/dogtag.py | 11 +++++------
|
|
|
5144c6 |
5 files changed, 19 insertions(+), 11 deletions(-)
|
|
|
5144c6 |
|
|
|
5144c6 |
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
|
|
5144c6 |
index 74e752ea5..d00b9d640 100755
|
|
|
5144c6 |
--- a/freeipa.spec.in
|
|
|
5144c6 |
+++ b/freeipa.spec.in
|
|
|
5144c6 |
@@ -112,9 +112,9 @@
|
|
|
5144c6 |
# Fedora
|
|
|
5144c6 |
%endif
|
|
|
5144c6 |
|
|
|
5144c6 |
-# 10.7.3 supports LWCA key replication using AES
|
|
|
5144c6 |
-# https://pagure.io/freeipa/issue/8020
|
|
|
5144c6 |
-%global pki_version 10.7.3-1
|
|
|
5144c6 |
+# PKIConnection has been modified to always validate certs.
|
|
|
5144c6 |
+# https://pagure.io/freeipa/issue/8379
|
|
|
5144c6 |
+%global pki_version 10.9.0-0.4
|
|
|
5144c6 |
|
|
|
5144c6 |
# https://pagure.io/certmonger/issue/90
|
|
|
5144c6 |
%global certmonger_version 0.79.7-1
|
|
|
5144c6 |
diff --git a/install/tools/ipa-pki-wait-running.in b/install/tools/ipa-pki-wait-running.in
|
|
|
5144c6 |
index 69f5ec296..4f0f2f34a 100644
|
|
|
5144c6 |
--- a/install/tools/ipa-pki-wait-running.in
|
|
|
5144c6 |
+++ b/install/tools/ipa-pki-wait-running.in
|
|
|
5144c6 |
@@ -59,7 +59,8 @@ def get_conn(hostname, subsystem):
|
|
|
5144c6 |
"""
|
|
|
5144c6 |
conn = PKIConnection(
|
|
|
5144c6 |
hostname=hostname,
|
|
|
5144c6 |
- subsystem=subsystem
|
|
|
5144c6 |
+ subsystem=subsystem,
|
|
|
5144c6 |
+ cert_paths=paths.IPA_CA_CRT
|
|
|
5144c6 |
)
|
|
|
5144c6 |
logger.info(
|
|
|
5144c6 |
"Created connection %s://%s:%s/%s",
|
|
|
5144c6 |
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
|
|
5144c6 |
index 706bc28cc..9294f1dba 100644
|
|
|
5144c6 |
--- a/ipaserver/install/cainstance.py
|
|
|
5144c6 |
+++ b/ipaserver/install/cainstance.py
|
|
|
5144c6 |
@@ -509,6 +509,13 @@ class CAInstance(DogtagInstance):
|
|
|
5144c6 |
else:
|
|
|
5144c6 |
pki_pin = None
|
|
|
5144c6 |
|
|
|
5144c6 |
+ # When spawning a CA instance, always point to IPA_CA_CRT if it
|
|
|
5144c6 |
+ # exists. Later, when we're performing step 2 of an external CA
|
|
|
5144c6 |
+ # installation, we'll overwrite this key to point to the real
|
|
|
5144c6 |
+ # external CA.
|
|
|
5144c6 |
+ if os.path.exists(paths.IPA_CA_CRT):
|
|
|
5144c6 |
+ cfg['pki_cert_chain_path'] = paths.IPA_CA_CRT
|
|
|
5144c6 |
+
|
|
|
5144c6 |
if self.clone:
|
|
|
5144c6 |
if self.no_db_setup:
|
|
|
5144c6 |
cfg.update(
|
|
|
5144c6 |
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
|
|
|
5144c6 |
index 361d80a8c..7e295665c 100644
|
|
|
5144c6 |
--- a/ipaserver/install/dogtaginstance.py
|
|
|
5144c6 |
+++ b/ipaserver/install/dogtaginstance.py
|
|
|
5144c6 |
@@ -70,7 +70,8 @@ def get_security_domain():
|
|
|
5144c6 |
connection = PKIConnection(
|
|
|
5144c6 |
protocol='https',
|
|
|
5144c6 |
hostname=api.env.ca_host,
|
|
|
5144c6 |
- port='8443'
|
|
|
5144c6 |
+ port='8443',
|
|
|
5144c6 |
+ cert_paths=paths.IPA_CA_CRT
|
|
|
5144c6 |
)
|
|
|
5144c6 |
domain_client = pki.system.SecurityDomainClient(connection)
|
|
|
5144c6 |
info = domain_client.get_security_domain_info()
|
|
|
5144c6 |
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
|
|
|
5144c6 |
index 4de26d76f..b300f6b18 100644
|
|
|
5144c6 |
--- a/ipaserver/plugins/dogtag.py
|
|
|
5144c6 |
+++ b/ipaserver/plugins/dogtag.py
|
|
|
5144c6 |
@@ -2082,13 +2082,12 @@ class kra(Backend):
|
|
|
5144c6 |
'https',
|
|
|
5144c6 |
self.kra_host,
|
|
|
5144c6 |
str(self.kra_port),
|
|
|
5144c6 |
- 'kra')
|
|
|
5144c6 |
+ 'kra',
|
|
|
5144c6 |
+ cert_paths=paths.IPA_CA_CRT
|
|
|
5144c6 |
+ )
|
|
|
5144c6 |
|
|
|
5144c6 |
- connection.session.cert = (paths.RA_AGENT_PEM, paths.RA_AGENT_KEY)
|
|
|
5144c6 |
- # uncomment the following when this commit makes it to release
|
|
|
5144c6 |
- # https://git.fedorahosted.org/cgit/pki.git/commit/?id=71ae20c
|
|
|
5144c6 |
- # connection.set_authentication_cert(paths.RA_AGENT_PEM,
|
|
|
5144c6 |
- # paths.RA_AGENT_KEY)
|
|
|
5144c6 |
+ connection.set_authentication_cert(paths.RA_AGENT_PEM,
|
|
|
5144c6 |
+ paths.RA_AGENT_KEY)
|
|
|
5144c6 |
|
|
|
5144c6 |
try:
|
|
|
5144c6 |
yield KRAClient(connection, crypto)
|
|
|
5144c6 |
--
|
|
|
5144c6 |
2.26.2
|
|
|
5144c6 |
|