Fix pki_server_external_certs_path

Previously if the pki_server_pkcs12_path was not specified the external certs specified in pki_server_external_certs_path would not be imported either. This is incorrect since these parameters are unrelated. To address the issue the code that imports the external certs in PKIDeployer.import_server_pkcs12() has been moved into import_external_certs() which will always be invoked during installation. The update_external_certs_conf() has been merged into this method as well. The PKIInstance.load_external_certs() has been modified to add the external cert using add_external_cert() to avoid creating duplicate entries in the external_certs.conf. The PKIInstance.store_external_certs() has been modified to remove the external_certs.conf if it's empty. In the future the pki_server_external_certs_path param and the pki-server instance-externalcert-* commands might be deprecated and eventually removed since there are other ways to deal with external certs without having to maintain external_certs.conf.
dogtagpki · Jan 30, 2025 · 448d9a1 · 448d9a1
1 parent 917a4c4
commit 448d9a1
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 26 deletions.
diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
@@ -560,24 +560,6 @@ def get_key_params(self, cert_id):
 
         return (key_type, key_size, curve, hash_alg)
 
-    def update_external_certs_conf(self, external_path):
-
-        external_certs = pki.server.instance.PKIInstance.load_external_certs_conf(
-            external_path)
-
-        if not external_certs:
-            return
-
-        # load existing external certs
-        self.instance.load_external_certs()
-
-        # add new external certs
-        for cert in external_certs:
-            logger.info('Adding %s cert', cert.nickname)
-            self.instance.add_external_cert(cert.nickname, cert.token)
-
-        self.instance.store_external_certs()
-
     def create_server_nssdb(self):
 
         os.chmod(
@@ -655,13 +637,6 @@ def import_server_pkcs12(self):
                 pkcs12_file=pki_server_pkcs12_path,
                 pkcs12_password=pki_server_pkcs12_password)
 
-            # update external CA file (if needed)
-            external_certs_path = self.mdict['pki_server_external_certs_path']
-            if not external_certs_path:
-                return
-
-            self.update_external_certs_conf(external_certs_path)
-
         finally:
             nssdb.close()
 
@@ -805,6 +780,33 @@ def import_ds_ca_cert(self):
         finally:
             nssdb.close()
 
+    def import_external_certs(self):
+        '''
+        Import external certificates.
+        '''
+
+        param = 'pki_server_external_certs_path'
+        external_certs_path = self.mdict.get(param)
+
+        if not external_certs_path:
+            return
+
+        external_certs = pki.server.instance.PKIInstance.load_external_certs_conf(
+            external_certs_path)
+
+        if not external_certs:
+            return
+
+        # load existing external certs
+        self.instance.load_external_certs()
+
+        # add new external certs
+        for cert in external_certs:
+            logger.info('Adding %s cert', cert.nickname)
+            self.instance.add_external_cert(cert.nickname, cert.token)
+
+        self.instance.store_external_certs()
+
     def create_cs_cfg(self, subsystem):
 
         tmpdir = tempfile.mkdtemp()

diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
@@ -39,6 +39,7 @@ def spawn(self, deployer):
         deployer.import_server_pkcs12()
         deployer.import_clone_pkcs12()
         deployer.install_cert_chain()
+        deployer.import_external_certs()
 
         if config.str2bool(deployer.mdict['pki_ds_setup']):
             deployer.import_ds_ca_cert()

diff --git a/base/server/python/pki/server/instance.py b/base/server/python/pki/server/instance.py
@@ -392,7 +392,7 @@ def load(self):
 
     def load_external_certs(self):
         for external_cert in PKIInstance.load_external_certs_conf(self.external_certs_conf):
-            self.external_certs.append(external_cert)
+            self.add_external_cert(external_cert.nickname, external_cert.token)
 
     def remove(self, remove_conf=False, remove_logs=False, force=False):
 
@@ -494,6 +494,12 @@ def delete_external_cert(self, nickname, token):
                 self.external_certs.remove(cert)
 
     def store_external_certs(self):
+
+        if len(self.external_certs) == 0:
+            logger.info('Removing %s', self.external_certs_conf)
+            pki.util.remove(self.external_certs_conf)
+            return
+
         PKIInstance.store_external_certs_conf(self.external_certs_conf, self.external_certs)
 
     def export_external_certs(self, pkcs12_file, pkcs12_password_file,