diff --git a/.github/workflows/ipa-clone-test.yml b/.github/workflows/ipa-clone-test.yml index c82f244a8f3..113868c3ecb 100644 --- a/.github/workflows/ipa-clone-test.yml +++ b/.github/workflows/ipa-clone-test.yml @@ -275,18 +275,12 @@ jobs: - name: Check CA CSR copied correctly run: | - docker exec primary pki-server ca-config-find \ - | grep -oP '^ca\.(\w*)\.nickname=(.*)$' \ - | grep -v sslserver \ - | sed -E 's/^ca\.(.*)\.nickname=(.*)$/\2/g' \ - | tee listCerts - docker cp primary:/etc/pki/pki-tomcat/certs primary-certs docker cp secondary:/etc/pki/pki-tomcat/certs secondary-certs - while IFS="" read -r cert ; do \ - diff "primary-certs/$cert.csr" "secondary-certs/$cert.csr" || exit 1 ; \ - done < listCerts + diff primary-certs/ca_audit_signing.csr secondary-certs/ca_audit_signing.csr + diff primary-certs/ca_ocsp_signing.csr secondary-certs/ca_ocsp_signing.csr + diff primary-certs/ca_signing.csr secondary-certs/ca_signing.csr - name: Check CRL generation config run: | diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py index 4ab628cb4ed..81decd36eba 100644 --- a/base/server/python/pki/server/deployment/__init__.py +++ b/base/server/python/pki/server/deployment/__init__.py @@ -1438,10 +1438,10 @@ def import_master_config(self, subsystem): return master_config def store_master_cert_request(self, subsystem, key, csr): - - nickname = subsystem.config.get(key.replace('.certreq', '.nickname')) - - csr_path = os.path.join(self.instance.conf_dir, 'certs', nickname + '.csr') + cert_id = key.split(',')[1] + if cert_id != 'sslserver' and cert_id != 'subsystem': + cert_id = subsystem.name + '_' + cert_id + csr_path = os.path.join(self.instance.conf_dir, 'certs', cert_id + '.csr') try: self.file.create(csr_path) with open(csr_path, 'w', encoding='utf-8') as f: @@ -1931,10 +1931,12 @@ def import_system_cert_request(self, subsystem, tag): if not os.path.exists(csr_path): raise Exception('Invalid path in %s: %s' % (param, csr_path)) - cert_nickname = subsystem.config.get('%s.%s.nickname' % (subsystem.name, tag)) + if tag != 'sslserver' and tag != 'subsystem': + tag = subsystem.name + '_' + cert_id + self.file.copy( old_name=csr_path, - new_name=os.path.join(certs_folder, cert_nickname + '.csr'), + new_name=os.path.join(certs_folder, tag + '.csr'), overwrite_flag=True) def import_system_cert_requests(self, subsystem): @@ -2727,7 +2729,11 @@ def create_cert_setup_request(self, subsystem, tag, cert): request.systemCert.requestType = 'pkcs10' try: - csr_path = os.path.join(self.instance.conf_dir, 'certs', cert.get('nickname') + '.csr') + if tag != 'sslserver' and tag != 'subsystem': + csr_name = subsystem.name + '_' + tag + '.csr' + else: + csr_name = tag + '.csr' + csr_path = os.path.join(self.instance.conf_dir, 'certs', csr_name) with open(csr_path, 'r', encoding='utf-8') as f: csr_data = f.read() request.systemCert.request = pki.nssdb.convert_csr(csr_data, 'pem', 'base64') @@ -2882,9 +2888,14 @@ def generate_csr(self, shutil.move(csr_pathname, csr_path) certs_folder = os.path.join(self.instance.conf_dir, 'certs') + if tag != 'sslserver' and tag != 'subsystem': + csr_name = subsystem.name + '_' + tag + '.csr' + else: + csr_name = tag + '.csr' + self.file.copy( old_name=csr_path, - new_name=os.path.join(certs_folder, cert_id + '.csr'), + new_name=os.path.join(certs_folder, csr_name), overwrite_flag=True) def create_cert_request(self, nssdb, tag, request): diff --git a/base/server/python/pki/server/subsystem.py b/base/server/python/pki/server/subsystem.py index 830f546bc4d..41abad2ce88 100644 --- a/base/server/python/pki/server/subsystem.py +++ b/base/server/python/pki/server/subsystem.py @@ -330,7 +330,9 @@ def update_system_cert(self, cert): self.config['%s.%s.tokenname' % (self.name, cert_id)] = cert.get('token') certs_path = os.path.join(self.instance.conf_dir, 'certs') self.instance.makedirs(certs_path, exist_ok=True) - csr_file = os.path.join(certs_path, cert.get('nickname') + '.csr') + if cert_id != 'sslserver' and cert_id != 'subsystem': + cert_id = self.name + '_' + cert_id + csr_file = os.path.join(certs_path, cert_id + '.csr') with open(csr_file, "w", encoding='utf-8') as f: f.write(pki.nssdb.convert_csr(cert.get('request'), 'base64', 'pem')) os.chown(csr_file, self.instance.uid, self.instance.gid) diff --git a/base/server/upgrade/11.5.0/04-RemoveCertCSRfromConfig.py b/base/server/upgrade/11.5.0/04-RemoveCertCSRfromConfig.py index e64107b37fe..ca94c461d25 100644 --- a/base/server/upgrade/11.5.0/04-RemoveCertCSRfromConfig.py +++ b/base/server/upgrade/11.5.0/04-RemoveCertCSRfromConfig.py @@ -25,28 +25,20 @@ def upgrade_subsystem(self, instance, subsystem): certs_path = os.path.join(instance.conf_dir, 'certs') instance.makedirs(certs_path, exist_ok=True) logger.info('Removing certs data') - if subsystem.name == 'ca': - self.clean_cert_csr('signing', subsystem, certs_path) - self.clean_cert_csr('ocsp_signing', subsystem, certs_path) - if subsystem.name == 'kra': - self.clean_cert_csr('storage', subsystem, certs_path) - self.clean_cert_csr('transport', subsystem, certs_path) - if subsystem.name == 'ocsp': - self.clean_cert_csr('signing', subsystem, certs_path) - - self.clean_cert_csr('sslserver', subsystem, certs_path) - self.clean_cert_csr('subsystem', subsystem, certs_path) - self.clean_cert_csr('audit_signing', subsystem, certs_path) + certs = subsystem.find_system_certs() + for cert in certs: + self.clean_cert_csr(cert['id'], subsystem, certs_path) subsystem.save() def clean_cert_csr(self, tag, subsystem, dest_path): subsystem.config.pop('%s.%s.cert' % (subsystem.name, tag), None) cert_req = subsystem.config.pop('%s.%s.certreq' % (subsystem.name, tag), None) - nickname = subsystem.config.get('%s.%s.nickname' % (subsystem.name, tag)) + if tag != 'sslserver' and tag != 'subsystem': + tag = subsystem.name + '_' + tag if cert_req: csr_data = pki.nssdb.convert_csr(cert_req, 'base64', 'pem') - csr_file = os.path.join(dest_path, nickname + '.csr') + csr_file = os.path.join(dest_path, tag + '.csr') with open(csr_file, 'w', encoding='utf-8') as f: f.write(csr_data) os.chown(csr_file, subsystem.instance.uid, subsystem.instance.gid)