[Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store

Fri Nov 15 14:36:51 UTC 2013

Tomas Babej wrote:
> On 11/15/2013 02:46 PM, Ana Krivokapic wrote:
>> On 11/13/2013 02:57 PM, Tomas Babej wrote:
>>> On 09/27/2013 10:14 AM, Martin Kosek wrote:
>>>> On 09/26/2013 04:46 PM, Jan Cholasta wrote:
>>>>> On 26.9.2013 12:59, Tomas Babej wrote:
>>>>>> On 09/26/2013 12:54 PM, Jan Cholasta wrote:
>>>>>>> On 24.9.2013 18:14, Nalin Dahyabhai wrote:
>>>>>>>> On Tue, Sep 24, 2013 at 01:30:10PM +0200, Jan Cholasta wrote:
>>>>>>>>> We discussed this with Tomáš off-line and it turns out that
>>>>>>>>> ipa-client-install fails if the CA cert is not added to
>>>>>>>>> /etc/pki/nssdb.
>>>>>>>>>
>>>>>>>>> However, according to p11-kit docs it should work:
>>>>>>>>> <http://p11-glue.freedesktop.org/doc/p11-kit/trust-nss.html>. I
>>>>>>>>> wonder what needs to be done to make it work in IPA...
>>>>>>>>
>>>>>>>> On my system, there's no symlink to libnssckbi.so (or the right
>>>>>>>> location
>>>>>>>> in the link farm under /etc/alternatives) in /etc/pki/nssdb, so
>>>>>>>> that
>>>>>>>> database isn't going to automatically pull in the list of
>>>>>>>> trusted CAs
>>>>>>>> that p11-kit maintains.
>>>>>>>>
>>>>>>>> Whether the database under /etc/pki/nssdb should automatically
>>>>>>>> include
>>>>>>>> the usual set of trust anchors is probably a different
>>>>>>>> conversation.
>>>>>>>
>>>>>>> Thanks for the info.
>>>>>>>
>>>>>>> Tomáš, the patch is fine then. I have one more nitpick though:
>>>>>>> why did
>>>>>>> you change "the default NSS database" to "the NSS database"? The
>>>>>>> database in /etc/pki/nssdb *is* the default NSS database, so please
>>>>>>> change it back. Also I think "systemwide CA trust database" is
>>>>>>> better
>>>>>>> than "systemwide CA store".
>>>>>>>
>>>>>>> Honza
>>>>>>>
>>>>>> I fixed the descriptions. Updated patch attached.
>>>>>>
>>>>>> Tomas
>>>>>>
>>>>>
>>>>> Thanks.
>>>>>
>>>>> There's one more thing: we should probably check if
>>>>> /usr/bin/update-ca-trust
>>>>> exists before using it, for the sake of cross-distro compatibility.
>>>>>
>>>>
>>>> Right. I am also thinking if this functionality should not be
>>>> somehow integrated into the platform files so that it can be
>>>> overriden in platforms that do not have the systemwide storage.
>>>>
>>>> Martin
>>>
>>> Updated patch attached, requires my patch 130.
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-devel mailing list
>>> Freeipa-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>> The patch works fine; a couple of nitpicks:
>>
>> 1) The import of root_logger in services.py.in is unused.
>>
>> 2) In ipa-client-install, you log the return values of functions
>> insert_ca_cert_into_systemwide_ca_store() and
>> remove_ca_cert_from_systemwide_ca_store(). But these functions do not
>> return any values, so you will always be logging `None`.
>>
> Thanks for the review,
>
> I removed the code (it was meant for debugging purposes only).
>
> Updated patch attached.

Adding the CA to the NSS cert database is considered a fatal error. 
Should adding it to the global trust database be fatal as well?

I don't know the answer, but if we want to do this at some point should 
these functions return True/False to denote success/failure?

rob