freeipa/install/tools/ipa-server-certinstall

177 lines
5.6 KiB
Plaintext
Raw Normal View History

0000-12-31 18:09:24 -05:50
#! /usr/bin/python -E
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
0000-12-31 18:09:24 -05:50
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
0000-12-31 18:09:24 -05:50
#
import sys
import os
import pwd
import tempfile
0000-12-31 18:09:24 -05:50
import traceback
import krbV
0000-12-31 18:09:24 -05:50
from ipapython.ipautil import user_input
from ipaserver.install import certs, dsinstance, httpinstance, installutils
from ipalib import api
from ipaserver.plugins.ldap2 import ldap2
0000-12-31 18:09:24 -05:50
def get_realm_name():
c = krbV.default_context()
return c.default_realm
def parse_options():
from optparse import OptionParser
parser = OptionParser()
parser.add_option("-d", "--dirsrv", dest="dirsrv", action="store_true",
default=False, help="install certificate for the directory server")
parser.add_option("-w", "--http", dest="http", action="store_true",
default=False, help="install certificate for the http server")
parser.add_option("--dirsrv_pin", dest="dirsrv_pin",
help="The password of the Directory Server PKCS#12 file")
parser.add_option("--http_pin", dest="http_pin",
help="The password of the Apache Server PKCS#12 file")
0000-12-31 18:09:24 -05:50
options, args = parser.parse_args()
if not options.dirsrv and not options.http:
parser.error("you must specify dirsrv and/or http")
if ((options.dirsrv and not options.dirsrv_pin) or
(options.http and not options.http_pin)):
parser.error("you must provide the password for the PKCS#12 file")
0000-12-31 18:09:24 -05:50
if len(args) != 1:
parser.error("you must provide a pkcs12 filename")
return options, args[0]
def set_ds_cert_name(cert_name, dm_password):
conn = ldap2(shared_instance=False, base_dn='')
conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
mod = {'nssslpersonalityssl': cert_name}
conn.update_entry('cn=RSA,cn=encryption,cn=config', mod)
conn.disconnect()
0000-12-31 18:09:24 -05:50
def choose_server_cert(server_certs):
print "Please select the certificate to use:"
num = 1
for cert in server_certs:
print "%d. %s" % (num, cert[0])
num += 1
0000-12-31 18:09:24 -05:50
while 1:
num = user_input("Certificate number", 1)
0000-12-31 18:09:24 -05:50
print ""
if num < 1 or num > len(server_certs):
print "number out of range"
0000-12-31 18:09:24 -05:50
else:
break
return server_certs[num - 1]
def import_cert(dirname, pkcs12_fname, pkcs12_passwd, db_password):
cdb = certs.CertDB(api.env.realm, nssdir=dirname)
cdb.create_passwd_file(db_password)
0000-12-31 18:09:24 -05:50
cdb.create_certdbs()
[pw_fd, pw_name] = tempfile.mkstemp()
os.write(pw_fd, pkcs12_passwd)
os.close(pw_fd)
0000-12-31 18:09:24 -05:50
try:
try:
cdb.import_pkcs12(pkcs12_fname, pw_name)
ca_names = cdb.find_root_cert_from_pkcs12(pkcs12_fname, pw_name)
except RuntimeError, e:
print str(e)
sys.exit(1)
finally:
os.remove(pw_name)
0000-12-31 18:09:24 -05:50
server_certs = cdb.find_server_certs()
if len(server_certs) == 0:
print "could not find a suitable server cert in import"
sys.exit(1)
elif len(server_certs) == 1:
server_cert = server_certs[0]
else:
server_cert = choose_server_cert(server_certs)
for ca in ca_names:
cdb.trust_root_cert(ca)
0000-12-31 18:09:24 -05:50
return server_cert
def main():
installutils.check_server_configuration()
0000-12-31 18:09:24 -05:50
options, pkcs12_fname = parse_options()
cfg = dict(in_server=True,)
api.bootstrap(**cfg)
api.finalize()
0000-12-31 18:09:24 -05:50
try:
if options.dirsrv:
dm_password = installutils.read_password("Directory Manager",
confirm=False, validate=False, retry=False)
if dm_password is None:
sys.exit("\nDirectory Manager password required")
0000-12-31 18:09:24 -05:50
realm = get_realm_name()
dirname = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm))
fd = open(dirname + "/pwdfile.txt")
passwd = fd.read()
fd.close()
server_cert = import_cert(dirname, pkcs12_fname, options.dirsrv_pin, passwd)
0000-12-31 18:09:24 -05:50
set_ds_cert_name(server_cert[0], dm_password)
if options.http:
2011-01-25 11:46:26 -06:00
dirname = certs.NSS_DIR
server_cert = import_cert(dirname, pkcs12_fname, options.http_pin, "")
installutils.set_directive(httpinstance.NSS_CONF, 'NSSNickname', server_cert[0])
0000-12-31 18:09:24 -05:50
# Fix the database permissions
os.chmod(dirname + "/cert8.db", 0640)
os.chmod(dirname + "/key3.db", 0640)
os.chmod(dirname + "/secmod.db", 0640)
pent = pwd.getpwnam("apache")
os.chown(dirname + "/cert8.db", 0, pent.pw_gid )
os.chown(dirname + "/key3.db", 0, pent.pw_gid )
os.chown(dirname + "/secmod.db", 0, pent.pw_gid )
0000-12-31 18:09:24 -05:50
except Exception, e:
traceback.print_exc(file=sys.stderr)
sys.exit("an unexpected error occurred: %s" % str(e))
0000-12-31 18:09:24 -05:50
return 0
try:
if not os.geteuid()==0:
sys.exit("\nYou must be root to run this script.\n")
main()
except SystemExit, e:
sys.exit(e)
except RuntimeError, e:
sys.exit(e)