When HTTP `nss.conf NSSNickname value is enclosed in single quotes (this occurs when the cert came from a PKCS #12 file e.g. using externally signed HTTP cert or domain-level 0 installation), running ipa-server-certinstall to replace the cert fails because installutils.get_directive() interprets the single quotes as part of the value.
`nss.conf
NSSNickname
ipa-server-certinstall
installutils.get_directive()
This appears to be a regression introduced in ee96384 (see also https://fedorahosted.org/freeipa/ticket/5809)
Excerpt of ipa-server-certinstall --verbose ... output:
ipa-server-certinstall --verbose ...
ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /etc/httpd/alias -D -n 'Server-Cert' ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout= ipa: DEBUG: stderr=certutil: could not find certificate named "'Server-Cert'": SEC_ERROR_BAD_DATABASE: security library: bad database. ipa.ipaserver.install.ipa_server_certinstall.ServerCertInstall: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_certinstall.py", line 113, in run self.install_http_cert() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_certinstall.py", line 145, in install_http_cert 'restart_httpd') File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_certinstall.py", line 211, in import_cert cdb.delete_cert(old_cert) File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 492, in delete_cert self.nssdb.delete_cert(nickname) File "/usr/lib/python2.7/site-packages/ipapython/certdb.py", line 488, in delete_cert self.run_certutil(["-D", "-n", nick]) File "/usr/lib/python2.7/site-packages/ipapython/certdb.py", line 144, in run_certutil return ipautil.run(new_args, stdin, **kwargs) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 518, in run raise CalledProcessError(p.returncode, arg_string, str(output)) ipa.ipaserver.install.ipa_server_certinstall.ServerCertInstall: DEBUG: The ipa-server-certinstall command failed, exception: CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias -D -n 'Server-Cert'' returned non-zero exit s tatus 255 ipa.ipaserver.install.ipa_server_certinstall.ServerCertInstall: ERROR: Command '/usr/bin/certutil -d /etc/httpd/alias -D -n 'Server-Cert'' returned non-zero exit status 255 ipa.ipaserver.install.ipa_server_certinstall.ServerCertInstall: ERROR: The ipa-server-certinstall command failed.
Credit to Flo for discovering this.
master:
get_directive
Metadata Update from @ftweedal: - Issue assigned to mbabinsk - Issue set to the milestone: FreeIPA 4.5
Login to comment on this ticket.