Using cert from nssdb in cert-export #4578
Conversation
System certificates are stored in CS.cfg and nssdb. This is redundant, all operations should use the same source for the certificate which is the nssdb. This modify the following command in order to get the certificate from nssdb: [root@pki /] # pki-server cert-export --cert-file <filename>
| @@ -2009,6 +2009,8 @@ def get_cert_info(self, nickname, token=None): | |||
| cert = {} | |||
| cert['object'] = cert_obj | |||
|
|
|||
| cert['data'] = self.get_cert(nickname=nickname, token=token, output_format='base64') | |||
There was a problem hiding this comment.
We probably can reuse the return value from get_cert() in line 2001, then convert it to base64 with convert_cert().
There was a problem hiding this comment.
I have tried to use the cert_pem value but it is a binary string and the convert_cert() has some trouble to convert.
There was a problem hiding this comment.
OK, no worries then, we can deal with it another time. Thanks!
| if cert_data: | ||
| cert_data = pki.nssdb.convert_cert(cert_data, 'base64', 'pem') | ||
| else: | ||
| crt_path = os.path.join(instance.conf_dir, 'conf', 'certs', f'{cert_id}.crt') |
There was a problem hiding this comment.
I think we don't need the conf part since instance.conf_dir is already pointing to the config folder.
There was a problem hiding this comment.
Unfortunately I think we cannot use f-string because the code needs to be able to run on RHEL 8 which only has Python 3.6.
There was a problem hiding this comment.
Unfortunately I think we cannot use f-string because the code needs to be able to run on RHEL 8 which only has Python 3.6.
f-string are available from 3.6 (https://peps.python.org/pep-0498) and in my test VM they works but I have modified with '+' concatenation to avoid compatibility issue.
There was a problem hiding this comment.
I think we don't need the
confpart sinceinstance.conf_diris already pointing to the config folder.
Not sure on this. In my tests I get printed the location of the cond_dir and where the csr file is read and I get:
Conf dir is /etc/pki/pki-tomcat
Csr path /etc/pki/pki-tomcat/conf/certs/sslserver.csr
Inside the instance I have not a conf folder so for the moment I am leaving. We can change location for the certs if it is the case or create an instance.cert_dir if it is the case.
There was a problem hiding this comment.
About f-string, looks like you're right. I was comparing Python 3.6 and 3.7 docs, apparently the f-string is described in different sections:
https://docs.python.org/3.7/tutorial/inputoutput.html
https://docs.python.org/3.6/tutorial/inputoutput.html
There was a problem hiding this comment.
Generally a Tomcat instance has a conf folder under the instance folder that contains Tomcat config files (e.g. server.xml): https://tomcat.apache.org/tomcat-9.0-doc/introduction.html
Following the same convention, in a PKI the folder would be /var/lib/pki/<instance name>/conf. However, Fedora requires that config files to be stored under /etc, so the /var/lib/pki/<instance name>/conf is actually a link to /etc/pki/pki-tomcat, but here we don't need to add conf in the path anymore since everything under /etc are config files, so it would be redundant.
Yeah, we can certainly add something like certs_dir to define the location for system certs and CSRs.
There was a problem hiding this comment.
Reading the issue you wrote the certificate should go in <instance>/conf/certs folder and I was thinking that <instance> is /etc/pki/<instance_name> but I was wrong, that is the conf folder if IIUC.
I will fix this directly in master. Thanks for the clarification.
The command pki-server cert-export will read the certificate and the relative request from the "<instance>/config/certs" folder if not found in other places
fmarco76
force-pushed
the
RedundantCerts
branch
from
06ea4a7 to
51e7094
Compare
|
Kudos, SonarCloud Quality Gate passed!
|
|
@edewata Thanks! |
Certificate and relative CSR are stored in multiple places. The command
pki-server cert-exportwas reading only from theCS.cfgfile but has been modified to read from nssdb and from the folder<instance>/conf/certs/<cert_id>.crt.