Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Skip importing certs and requests when pki_ds_setup=False #4655

Merged
merged 2 commits into from
Jan 16, 2024
Merged

Skip importing certs and requests when pki_ds_setup=False #4655

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8a33077
Skip importing certs and requests when pki_ds_setup=False
edewata Jan 14, 2024
15c9bb3
Update CA container test
edewata Jan 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
93 changes: 77 additions & 16 deletions .github/workflows/ca-container-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -395,6 +395,78 @@ jobs:
echo "0" > expected
diff expected nsTaskExitCode

- name: Import CA signing cert into CA database
run: |
docker exec ca pki-server ca-cert-request-import \
--csr /certs/ca_signing.csr \
--profile /usr/share/pki/ca/conf/caCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)

docker exec ca pki-server ca-cert-import \
--cert /certs/ca_signing.crt \
--profile /usr/share/pki/ca/conf/caCert.profile \
--request $REQUEST_ID

- name: Import CA OCSP signing cert into CA database
run: |
docker exec ca pki-server ca-cert-request-import \
--csr /certs/ocsp_signing.csr \
--profile /usr/share/pki/ca/conf/caOCSPCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)

docker exec ca pki-server ca-cert-import \
--cert /certs/ocsp_signing.crt \
--profile /usr/share/pki/ca/conf/caOCSPCert.profile \
--request $REQUEST_ID

- name: Import CA audit signing cert into CA database
run: |
docker exec ca pki-server ca-cert-request-import \
--csr /certs/audit_signing.csr \
--profile /usr/share/pki/ca/conf/caAuditSigningCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)

docker exec ca pki-server ca-cert-import \
--cert /certs/audit_signing.crt \
--profile /usr/share/pki/ca/conf/caAuditSigningCert.profile \
--request $REQUEST_ID

- name: Import subsystem cert into CA database
run: |
docker exec ca pki-server ca-cert-request-import \
--csr /certs/subsystem.csr \
--profile /usr/share/pki/ca/conf/rsaSubsystemCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)

docker exec ca pki-server ca-cert-import \
--cert /certs/subsystem.crt \
--profile /usr/share/pki/ca/conf/rsaSubsystemCert.profile \
--request $REQUEST_ID

- name: Import SSL server cert into CA database
run: |
docker exec ca pki-server ca-cert-request-import \
--csr /certs/sslserver.csr \
--profile /usr/share/pki/ca/conf/rsaServerCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)

docker exec ca pki-server ca-cert-import \
--cert /certs/sslserver.crt \
--profile /usr/share/pki/ca/conf/rsaServerCert.profile \
--request $REQUEST_ID

- name: Import admin cert into CA database
run: |
docker exec ca pki-server ca-cert-request-import \
--csr /certs/admin.csr \
--profile /usr/share/pki/ca/conf/rsaAdminCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)

docker exec ca pki-server ca-cert-import \
--cert /certs/admin.crt \
--profile /usr/share/pki/ca/conf/rsaAdminCert.profile \
--request $REQUEST_ID

# https://github.com/dogtagpki/pki/wiki/Setting-up-CA-Admin-User
- name: Add admin user
run: |
Expand Down Expand Up @@ -659,10 +731,10 @@ jobs:
run: |
docker exec ca bash -c "cat /var/log/pki/pki-tomcat/ca/debug.*"

- name: Gather artifacts from CA container
- name: Gather artifacts
if: always()
run: |
tests/bin/ds-artifacts-save.sh --output=/tmp/artifacts/ca ds
tests/bin/ds-artifacts-save.sh ds

docker exec ca ls -la /etc/pki
mkdir -p /tmp/artifacts/ca/etc/pki
Expand All @@ -674,24 +746,13 @@ jobs:
docker cp ca:/var/log/pki /tmp/artifacts/ca/var/log

docker logs ca > /tmp/artifacts/ca/container.out 2> /tmp/artifacts/ca/container.err
continue-on-error: true

- name: Gather artifacts from client container
if: always()
run: |
mkdir -p /tmp/artifacts/client
docker logs client > /tmp/artifacts/client/container.out 2> /tmp/artifacts/client/container.err

- name: Upload artifacts from CA container
if: always()
uses: actions/upload-artifact@v3
with:
name: ca-container-ca
path: /tmp/artifacts/ca

- name: Upload artifacts from client container
- name: Upload artifacts
if: always()
uses: actions/upload-artifact@v3
with:
name: ca-container-client
path: /tmp/artifacts/client
name: ca-container
path: /tmp/artifacts
86 changes: 82 additions & 4 deletions .github/workflows/ca-existing-ds-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -160,9 +160,17 @@ jobs:
--maxConns 15 \
--minConns 3

# configure user/group subsystem to use DS
# configure CA user/group subsystem
docker exec pki pki-server ca-config-set usrgrp.ldap internaldb

# configure CA database subsystem
docker exec pki pki-server ca-config-set dbs.ldap internaldb
docker exec pki pki-server ca-config-set dbs.newSchemaEntryAdded true
docker exec pki pki-server ca-config-set dbs.requestDN ou=ca,ou=requests
docker exec pki pki-server ca-config-set dbs.request.id.generator random
docker exec pki pki-server ca-config-set dbs.serialDN ou=certificateRepository,ou=ca
docker exec pki pki-server ca-config-set dbs.cert.id.generator random

- name: Check connection to CA database
run: |
docker exec pki pki-server ca-db-info
Expand All @@ -188,6 +196,78 @@ jobs:
run: |
docker exec pki pki-server ca-db-vlv-reindex -v

- name: Import CA signing cert into CA database
run: |
docker exec pki pki-server ca-cert-request-import \
--csr /etc/pki/pki-tomcat/certs/ca_signing.csr \
--profile /usr/share/pki/ca/conf/caCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)

docker exec pki pki-server ca-cert-import \
--cert /etc/pki/pki-tomcat/certs/ca_signing.crt \
--profile /usr/share/pki/ca/conf/caCert.profile \
--request $REQUEST_ID

- name: Import CA OCSP signing cert into CA database
run: |
docker exec pki pki-server ca-cert-request-import \
--csr /etc/pki/pki-tomcat/certs/ca_ocsp_signing.csr \
--profile /usr/share/pki/ca/conf/caOCSPCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)

docker exec pki pki-server ca-cert-import \
--cert /etc/pki/pki-tomcat/certs/ca_ocsp_signing.crt \
--profile /usr/share/pki/ca/conf/caOCSPCert.profile \
--request $REQUEST_ID

- name: Import CA audit signing cert into CA database
run: |
docker exec pki pki-server ca-cert-request-import \
--csr /etc/pki/pki-tomcat/certs/ca_audit_signing.csr \
--profile /usr/share/pki/ca/conf/caAuditSigningCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)

docker exec pki pki-server ca-cert-import \
--cert /etc/pki/pki-tomcat/certs/ca_audit_signing.crt \
--profile /usr/share/pki/ca/conf/caAuditSigningCert.profile \
--request $REQUEST_ID

- name: Import subsystem cert into CA database
run: |
docker exec pki pki-server ca-cert-request-import \
--csr /etc/pki/pki-tomcat/certs/subsystem.csr \
--profile /usr/share/pki/ca/conf/rsaSubsystemCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)

docker exec pki pki-server ca-cert-import \
--cert /etc/pki/pki-tomcat/certs/subsystem.crt \
--profile /usr/share/pki/ca/conf/rsaSubsystemCert.profile \
--request $REQUEST_ID

- name: Import SSL server cert into CA database
run: |
docker exec pki pki-server ca-cert-request-import \
--csr /etc/pki/pki-tomcat/certs/sslserver.csr \
--profile /usr/share/pki/ca/conf/rsaServerCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)

docker exec pki pki-server ca-cert-import \
--cert /etc/pki/pki-tomcat/certs/sslserver.crt \
--profile /usr/share/pki/ca/conf/rsaServerCert.profile \
--request $REQUEST_ID

- name: Import admin cert into CA database
run: |
docker exec pki pki-server ca-cert-request-import \
--csr admin.csr \
--profile /usr/share/pki/ca/conf/rsaAdminCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)

docker exec pki pki-server ca-cert-import \
--cert admin.crt \
--profile /usr/share/pki/ca/conf/rsaAdminCert.profile \
--request $REQUEST_ID

# https://github.com/dogtagpki/pki/wiki/Setting-up-CA-Database-User
- name: Add database user
run: |
Expand Down Expand Up @@ -365,6 +445,4 @@ jobs:
uses: actions/upload-artifact@v3
with:
name: ca-existing-ds
path: |
/tmp/artifacts/ds
/tmp/artifacts/pki
path: /tmp/artifacts
27 changes: 17 additions & 10 deletions base/ca/bin/pki-ca-run
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,9 @@ echo "##########################################################################
rc=0
pki \
-d /etc/pki/pki-tomcat/alias \
nss-cert-show \
ca_signing > /dev/null 2>&1 || rc=$?
nss-cert-export \
--output-file /certs/ca_signing.crt \
ca_signing || rc=$?

if [ $rc -ne 0 ]
then
Expand Down Expand Up @@ -76,8 +77,9 @@ echo "##########################################################################
rc=0
pki \
-d /etc/pki/pki-tomcat/alias \
nss-cert-show \
ocsp_signing > /dev/null 2>&1 || rc=$?
nss-cert-export \
--output-file /certs/ocsp_signing.crt \
ocsp_signing || rc=$?

if [ $rc -ne 0 ]
then
Expand Down Expand Up @@ -117,8 +119,9 @@ echo "##########################################################################
rc=0
pki \
-d /etc/pki/pki-tomcat/alias \
nss-cert-show \
audit_signing > /dev/null 2>&1 || rc=$?
nss-cert-export \
--output-file /certs/audit_signing.crt \
audit_signing || rc=$?

if [ $rc -ne 0 ]
then
Expand Down Expand Up @@ -159,8 +162,9 @@ echo "##########################################################################
rc=0
pki \
-d /etc/pki/pki-tomcat/alias \
nss-cert-show \
subsystem > /dev/null 2>&1 || rc=$?
nss-cert-export \
--output-file /certs/subsystem.crt \
subsystem || rc=$?

if [ $rc -ne 0 ]
then
Expand Down Expand Up @@ -200,7 +204,8 @@ rc=0
pki \
-d /etc/pki/pki-tomcat/alias \
nss-cert-show \
sslserver > /dev/null 2>&1 || rc=$?
--output-file /certs/sslserver.crt \
sslserver || rc=$?

if [ $rc -ne 0 ]
then
Expand Down Expand Up @@ -238,7 +243,9 @@ echo "##########################################################################

# check if admin cert exists
rc=0
pki nss-cert-show admin > /dev/null 2>&1 || rc=$?
pki nss-cert-export \
--output-file /certs/admin.crt \
admin || rc=$?

if [ $rc -ne 0 ]
then
Expand Down
20 changes: 13 additions & 7 deletions base/server/python/pki/server/deployment/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3289,7 +3289,8 @@ def setup_system_cert(self, nssdb, subsystem, tag, system_cert, request):
# might conflict with system certificates to be created later.
# Also create the certificate request record for renewals.

if config.str2bool(self.mdict['pki_import_system_certs']):
if config.str2bool(self.mdict['pki_import_system_certs']) and \
config.str2bool(self.mdict['pki_ds_setup']):
self.import_cert_request(subsystem, tag, request)
self.import_cert(subsystem, tag, request, system_cert['data'])

Expand Down Expand Up @@ -3382,8 +3383,9 @@ def setup_system_cert(self, nssdb, subsystem, tag, system_cert, request):

# selfsign or local

# import request into CA database and get a request ID
self.import_cert_request(subsystem, tag, request)
if config.str2bool(self.mdict['pki_ds_setup']):
# import request into CA database and get a request ID
self.import_cert_request(subsystem, tag, request)

if cert_info:
logger.info('Reusing %s cert in NSS database', tag)
Expand All @@ -3402,8 +3404,9 @@ def setup_system_cert(self, nssdb, subsystem, tag, system_cert, request):
cert_format='base64',
token=request.systemCert.token)

# import cert into CA database
self.import_cert(subsystem, tag, request, system_cert['data'])
if config.str2bool(self.mdict['pki_ds_setup']):
# import cert into CA database
self.import_cert(subsystem, tag, request, system_cert['data'])

def setup_system_certs(self, nssdb, subsystem):

Expand Down Expand Up @@ -3759,10 +3762,13 @@ def create_admin_cert(self, subsystem, csr):
request.systemCert.keyAlgorithm = self.get_signing_algorithm(subsystem, profile)
logger.info('Signing algorithm: %s', request.systemCert.keyAlgorithm)

self.import_cert_request(subsystem, 'admin', request)
if config.str2bool(self.mdict['pki_ds_setup']):
self.import_cert_request(subsystem, 'admin', request)

cert_data = self.create_cert(subsystem, 'admin', request)
self.import_cert(subsystem, 'admin', request, cert_data)

if config.str2bool(self.mdict['pki_ds_setup']):
self.import_cert(subsystem, 'admin', request, cert_data)

cert_pem = pki.nssdb.convert_cert(cert_data, 'base64', 'pem')
cert_obj = x509.load_pem_x509_certificate(cert_pem.encode(), backend=default_backend())
Expand Down
Loading