From aded4bd0d6d088f6bc0a22577ff5f10b1df97199 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 8 Sep 2020 18:37:31 -0400 Subject: [PATCH 1/2] ipatests: test ipa_server_certinstall with an IPA-issued cert ipa-server-certinstall takes a slightly different code path if the replacement certificate is IPA-issued so exercise that path. This replaces the Apache cert with itself which is a bit of a no-op but it still goes through the motions. https://pagure.io/freeipa/issue/8204 Signed-off-by: Rob Crittenden --- .../test_integration/test_installation.py | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py index 98bdc98ab8..249e2bf890 100644 --- a/ipatests/test_integration/test_installation.py +++ b/ipatests/test_integration/test_installation.py @@ -358,6 +358,30 @@ def test_ipa_ca_crt_permissions(self): assert owner == "root" assert group == "root" + def test_cert_install_with_IPA_issued_cert(self): + """ + Test replacing an IPA-issued server cert + + ipa-server-certinstall can replace the web and LDAP certs. + A slightly different code path is taken when the replacement + certs are issued by IPA. Exercise that path by replacing the + web cert with itself. + """ + self.master.run_command(['cp', '-p', paths.HTTPD_CERT_FILE, '/tmp']) + self.master.run_command(['cp', '-p', paths.HTTPD_KEY_FILE, '/tmp']) + + passwd = self.master.get_file_contents( + paths.HTTPD_PASSWD_FILE_FMT.format(host=self.master.hostname) + ) + self.master.run_command([ + 'ipa-server-certinstall', + '-p', self.master.config.dirman_password, + '-w', + '--pin', passwd, + '/tmp/httpd.crt', + '/tmp/httpd.key', + ]) + def test_is_ipa_configured(self): """Verify that the old and new methods of is_ipa_installed works From 945076b52193a7131ac0bd8734fc0482043de988 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 8 Sep 2020 18:38:40 -0400 Subject: [PATCH 2/2] Set the certmonger subject with a string, not an object ipa-server-certinstall goes through a slightly different code path if the replacement certificate is issued by IPA. This was setting the subject using cert.subject which is a Name object and not the string representation of that object. This was failing in the dbus call to certmonger. https://pagure.io/freeipa/issue/8204 Signed-off-by: Rob Crittenden --- ipaserver/install/ipa_server_certinstall.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py index ac0134086e..74f7ff1f3e 100644 --- a/ipaserver/install/ipa_server_certinstall.py +++ b/ipaserver/install/ipa_server_certinstall.py @@ -170,7 +170,7 @@ def replace_http_cert(self): if req_id is not None: certmonger.add_principal( req_id, 'HTTP/{host}'.format(host=api.env.host)) - certmonger.add_subject(req_id, cert.subject) + certmonger.add_subject(req_id, str(DN(cert.subject))) def replace_kdc_cert(self): # pass in `realm` to perform `NSSDatabase.verify_kdc_cert_validity()`