IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
99e7b0c355
freeipa/ipaserver/install/certs.py

1083 lines
39 KiB
Python
Raw Normal View History

Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
2010-12-09 06:59:11 -06:00
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
2010-12-09 06:59:11 -06:00
# along with this program. If not, see <http://www.gnu.org/licenses/>.
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
#
User provided certs.
0000-12-31 18:09:24 -05:50
import os, stat, subprocess, re
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
import errno
Create temporary files used in self-signed cert requests in a temporary directory and ensure that it gets cleaned up when we're done with it. 458159
2008-08-14 17:36:35 -05:00
import tempfile
Minor bugs found while testing stuff. - wrong import in certs.py makes ipa-replica-manage fail - close the fs after the stash file is written so that the file is updated immediately and not when the fd is garbage collected
2008-08-19 15:39:33 -05:00
import shutil
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
import logging
import urllib
import xml.dom.minidom
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
import pwd
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
import fcntl
Make the IPA server host and its services "real" IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
2009-12-07 22:17:00 -06:00
import base64
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
from ipapython import nsslib
Move the HTTP/S request code to a common library This moves code that does HTTP and HTTPS requests into a common library that can be used by both the installer and the dogtag plugin. These functions are not generic HTTP/S clients, they are designed specifically to talk to dogtag, so use accordingly.
2010-02-02 21:52:11 -06:00
from ipapython import dogtag
Rename ipa-python directory to ipapython so it is a real python library We used to install it as ipa, now installing it as ipapython. The rpm is still ipa-python.
2009-02-05 14:03:08 -06:00
from ipapython import sysrestore
from ipapython import ipautil
Fix certmonger errors when doing a client or server uninstall. This started with the client uninstaller returning a 1 when not installed. There was no way to tell whether the uninstall failed or the client simply wasn't installed which caused no end of grief with the installer. This led to a lot of certmonger failures too, either trying to stop tracking a non-existent cert or not handling an existing tracked certificate. I moved the certmonger code out of the installer and put it into the client/server shared ipapython lib. It now tries a lot harder and smarter to untrack a certificate. ticket 142
2010-08-31 16:21:25 -05:00
from ipapython import certmonger
Use Realm as certs subject base name Also use the realm name as nickname for the CA certificate
2010-11-01 12:51:14 -05:00
from ipapython.certdb import get_ca_nickname
Handle CSRs whether they have NEW in the header or not Also consolidate some duplicate code
2010-05-03 16:38:39 -05:00
from ipalib import pkcs10
Automatically convert a v1-style ca_serialno to the v2 config style. This has been annoying for developers who switch back and forth. It will still break v1 but at least going from v1 to v2 will work seemlessly. ticket 240
2010-09-23 11:09:37 -05:00
from ConfigParser import RawConfigParser, MissingSectionHeaderError
Have certmonger track the initial Apache and 389-ds server certs. We don't use certmonger to get certificates during installation because of the chicken-and-egg problem. This means that the IPA web and ldap certs aren't being tracked for renewal. This requires some manual changes to the certmonger request files once tracking has begun because it doesn't store a subject or principal template when a cert is added via start-tracking. This also required some changes to the cert command plugin to allow a host to execute calls against its own service certs. ticket 67
2010-09-08 21:11:31 -05:00
import service
from ipalib import x509
Use information from the certificate subject when setting the NSS nickname. There were a few places in the code where certs were loaded from a PKCS#7 file or a chain in a PEM file. The certificates got very generic nicknames. We can instead pull the subject from the certificate and use that as the nickname. https://fedorahosted.org/freeipa/ticket/1141
2011-07-11 16:39:30 -05:00
from ipalib.dn import DN
Properly handle CertificateOperationErrors in replication prepration. The problem here was two-fold: the certs manager was raising an error it didn't know about and ipa-replica-prepare wasn't catching it. ticket 249
2010-09-20 12:35:32 -05:00
from ipalib.errors import CertificateOperationError
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
from nss.error import NSPRError
import nss.nss as nss
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
from ipalib import api
Use consistent, specific nickname for the IPA CA certificate. Also fix some imports for sha. We have a compat module for it, use it. ticket 181
2010-09-28 22:10:25 -05:00
from ipalib.compat import sha1
Fix deprecation warning for the sha library on Python 2.6 sha has been replaced by hashlib. We need to support Python 2.4 - 2.6 so this will use hashlib if available but fall back onto sha if not. Fortunately they use the same API for the function we need. 509042 Signed-off-by: Jason Gerard DeRose <jderose@redhat.com>
2009-07-23 15:58:21 -05:00
Move Selfsigned CA creation out of dsinstance This allows us to have the CA ready to serve out certs for any operation even before the dsinstance is created. The CA is independent of the dsinstance anyway. Also fixes: https://fedorahosted.org/freeipa/ticket/544
2010-12-08 15:35:12 -06:00
# Apache needs access to this database so we need to create it
# where apache can reach
NSS_DIR = "/etc/httpd/alias"
Move the self-signed CA serialno file to /var/lib/ipa to adhere to the FHS 455064
2008-07-24 13:34:43 -05:00
CA_SERIALNO="/var/lib/ipa/ca_serialno"
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
def ipa_self_signed():
"""
Determine if the current IPA CA is self-signed or using another CA
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
We do this based on the CA plugin that is currently in use.
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
"""
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
if api.env.ra_plugin == 'selfsign':
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
return True
else:
return False
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
def find_cert_from_txt(cert, start=0):
"""
Given a cert blob (str) which may or may not contian leading and
trailing text, pull out just the certificate part. This will return
the FIRST cert in a stream of data.
Returns a tuple (certificate, last position in cert)
"""
s = cert.find('-----BEGIN CERTIFICATE-----', start)
e = cert.find('-----END CERTIFICATE-----', s)
if e > 0: e = e + 25
if s < 0 or e < 0:
raise RuntimeError("Unable to find certificate")
cert = cert[s:e]
return (cert, e)
Use information from the certificate subject when setting the NSS nickname. There were a few places in the code where certs were loaded from a PKCS#7 file or a chain in a PEM file. The certificates got very generic nicknames. We can instead pull the subject from the certificate and use that as the nickname. https://fedorahosted.org/freeipa/ticket/1141
2011-07-11 16:39:30 -05:00
def get_cert_nickname(cert):
"""
Using the subject from cert come up with a nickname suitable
for NSS. The caller can decide whether to use just the RDN
or the whole subject.
Clean up existing DN object usage
2011-07-28 13:32:26 -05:00
Returns a tuple of (rdn, subject_dn) when rdn is the string
representation of the first RDN in the subject and subject_dn
is a DN object.
Use information from the certificate subject when setting the NSS nickname. There were a few places in the code where certs were loaded from a PKCS#7 file or a chain in a PEM file. The certificates got very generic nicknames. We can instead pull the subject from the certificate and use that as the nickname. https://fedorahosted.org/freeipa/ticket/1141
2011-07-11 16:39:30 -05:00
"""
nsscert = x509.load_certificate(cert)
subject = str(nsscert.subject)
dn = DN(subject)
Clean up existing DN object usage
2011-07-28 13:32:26 -05:00
return (str(dn[0]), dn)
Use information from the certificate subject when setting the NSS nickname. There were a few places in the code where certs were loaded from a PKCS#7 file or a chain in a PEM file. The certificates got very generic nicknames. We can instead pull the subject from the certificate and use that as the nickname. https://fedorahosted.org/freeipa/ticket/1141
2011-07-11 16:39:30 -05:00
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
def next_serial(serial_file=CA_SERIALNO):
"""
Get the next serial number if we're using an NSS-based self-signed CA.
The file is an ini-like file with following properties:
lastvalue = the last serial number handed out
nextreplica = the serial number the next replica should start with
replicainterval = the number to add to nextreplica the next time a
replica is created
File locking is attempted so we have unique serial numbers.
"""
fp = None
parser = RawConfigParser()
if ipautil.file_exists(serial_file):
try:
fp = open(serial_file, "r+")
fcntl.flock(fp.fileno(), fcntl.LOCK_EX)
parser.readfp(fp)
serial = parser.getint('selfsign', 'lastvalue')
cur_serial = serial + 1
except IOError, e:
raise RuntimeError("Unable to determine serial number: %s" % str(e))
Automatically convert a v1-style ca_serialno to the v2 config style. This has been annoying for developers who switch back and forth. It will still break v1 but at least going from v1 to v2 will work seemlessly. ticket 240
2010-09-23 11:09:37 -05:00
except MissingSectionHeaderError:
fcntl.flock(fp.fileno(), fcntl.LOCK_UN)
fp.close()
f=open(serial_file,"r")
r = f.readline()
f.close()
cur_serial = int(r) + 1
fp = open(serial_file, "w")
fcntl.flock(fp.fileno(), fcntl.LOCK_EX)
parser.add_section('selfsign')
parser.set('selfsign', 'nextreplica', 500000)
parser.set('selfsign', 'replicainterval', 500000)
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
else:
fp = open(serial_file, "w")
fcntl.flock(fp.fileno(), fcntl.LOCK_EX)
parser.add_section('selfsign')
parser.set('selfsign', 'nextreplica', 500000)
parser.set('selfsign', 'replicainterval', 500000)
cur_serial = 1000
try:
fp.seek(0)
parser.set('selfsign', 'lastvalue', cur_serial)
parser.write(fp)
fp.flush()
fcntl.flock(fp.fileno(), fcntl.LOCK_UN)
fp.close()
except IOError, e:
raise RuntimeError("Unable to increment serial number: %s" % str(e))
return str(cur_serial)
def next_replica(serial_file=CA_SERIALNO):
"""
Return the starting serial number for a new self-signed replica
"""
fp = None
parser = RawConfigParser()
if ipautil.file_exists(serial_file):
try:
fp = open(serial_file, "r+")
fcntl.flock(fp.fileno(), fcntl.LOCK_EX)
parser.readfp(fp)
serial = parser.getint('selfsign', 'nextreplica')
nextreplica = serial + parser.getint('selfsign', 'replicainterval')
except IOError, e:
raise RuntimeError("Unable to determine serial number: %s" % str(e))
else:
raise RuntimeError("%s does not exist, cannot create replica" % serial_file)
try:
fp.seek(0)
parser.set('selfsign', 'nextreplica', nextreplica)
parser.write(fp)
fp.flush()
fcntl.flock(fp.fileno(), fcntl.LOCK_UN)
fp.close()
except IOError, e:
raise RuntimeError("Unable to increment serial number: %s" % str(e))
return str(serial)
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
class CertDB(object):
Move Selfsigned CA creation out of dsinstance This allows us to have the CA ready to serve out certs for any operation even before the dsinstance is created. The CA is independent of the dsinstance anyway. Also fixes: https://fedorahosted.org/freeipa/ticket/544
2010-12-08 15:35:12 -06:00
def __init__(self, realm, nssdir=NSS_DIR, fstore=None, host_name=None, subject_base=None):
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
self.secdir = nssdir
Use Realm as certs subject base name Also use the realm name as nickname for the CA certificate
2010-11-01 12:51:14 -05:00
self.realm = realm
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
self.noise_fname = self.secdir + "/noise.txt"
self.passwd_fname = self.secdir + "/pwdfile.txt"
self.certdb_fname = self.secdir + "/cert8.db"
self.keydb_fname = self.secdir + "/key3.db"
Commit corrected certs.py
0000-12-31 18:09:24 -05:50
self.secmod_fname = self.secdir + "/secmod.db"
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
self.cacert_fname = self.secdir + "/cacert.asc"
self.pk12_fname = self.secdir + "/cacert.p12"
self.pin_fname = self.secdir + "/pin.txt"
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
self.pwd_conf = "/etc/httpd/conf/password.conf"
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
self.reqdir = None
self.certreq_fname = None
self.certder_fname = None
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
self.host_name = host_name
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
self.subject_base = subject_base
Don't assume local directory is valid or writable. certutil writes to the local directory when issuing a certificate. Change to the security database directory when issuing the self-signed CA. Also handle the case where a user is in a non-existent directory when doing the install.
2010-02-03 16:40:18 -06:00
try:
self.cwd = os.getcwd()
except OSError, e:
raise RuntimeError("Unable to determine the current directory: %s" % str(e))
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
self.self_signed_ca = ipa_self_signed()
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
if not subject_base:
self.subject_base = "O=IPA"
self.subject_format = "CN=%%s,%s" % self.subject_base
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
Use Realm as certs subject base name Also use the realm name as nickname for the CA certificate
2010-11-01 12:51:14 -05:00
self.cacert_name = get_ca_nickname(self.realm)
Commit corrected certs.py
0000-12-31 18:09:24 -05:50
self.valid_months = "120"
self.keysize = "1024"
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
# We are going to set the owner of all of the cert
# files to the owner of the containing directory
# instead of that of the process. This works when
# this is called by root for a daemon that runs as
# a normal user
mode = os.stat(self.secdir)
self.uid = mode[stat.ST_UID]
self.gid = mode[stat.ST_GID]
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
if fstore:
self.fstore = fstore
else:
self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
Create temporary files used in self-signed cert requests in a temporary directory and ensure that it gets cleaned up when we're done with it. 458159
2008-08-14 17:36:35 -05:00
def __del__(self):
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
if self.reqdir is not None:
shutil.rmtree(self.reqdir, ignore_errors=True)
User-defined certificate subjects Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.
2010-01-20 10:26:20 -06:00
try:
os.chdir(self.cwd)
except:
pass
Create temporary files used in self-signed cert requests in a temporary directory and ensure that it gets cleaned up when we're done with it. 458159
2008-08-14 17:36:35 -05:00
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
def setup_cert_request(self):
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
"""
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
Create a temporary directory to store certificate requests and
certificates. This should be called before requesting certificates.
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
This is set outside of __init__ to avoid creating a temporary
directory every time we open a cert DB.
"""
if self.reqdir is not None:
return
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
self.reqdir = tempfile.mkdtemp('', 'ipa-', '/var/lib/ipa')
self.certreq_fname = self.reqdir + "/tmpcertreq"
self.certder_fname = self.reqdir + "/tmpcert.der"
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
User-defined certificate subjects Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.
2010-01-20 10:26:20 -06:00
# When certutil makes a request it creates a file in the cwd, make
# sure we are in a unique place when this happens
os.chdir(self.reqdir)
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
def set_serial_from_pkcs12(self):
"""A CA cert was loaded from a PKCS#12 file. Set up our serial file"""
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
cur_serial = self.find_cacert_serial()
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
try:
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
fp = open(CA_SERIALNO, "w")
parser = RawConfigParser()
parser.add_section('selfsign')
parser.set('selfsign', 'lastvalue', cur_serial)
parser.set('selfsign', 'nextreplica', 500000)
parser.set('selfsign', 'replicainterval', 500000)
parser.write(fp)
fp.close()
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
except IOError, e:
raise RuntimeError("Unable to increment serial number: %s" % str(e))
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
def set_perms(self, fname, write=False, uid=None):
if uid:
pent = pwd.getpwnam(uid)
os.chown(fname, pent.pw_uid, pent.pw_gid)
else:
os.chown(fname, self.uid, self.gid)
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
perms = stat.S_IRUSR
if write:
perms |= stat.S_IWUSR
os.chmod(fname, perms)
def gen_password(self):
Use consistent, specific nickname for the IPA CA certificate. Also fix some imports for sha. We have a compat module for it, use it. ticket 181
2010-09-28 22:10:25 -05:00
return sha1(ipautil.ipa_generate_password()).hexdigest()
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
def run_certutil(self, args, stdin=None):
new_args = ["/usr/bin/certutil", "-d", self.secdir]
new_args = new_args + args
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
return ipautil.run(new_args, stdin)
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
Add automatic browser configuration for kerberos SSO using javascript. This uses the UniversalPreferencesWrite function to set the browser preferences to allow negotiation and ticket forwarding in the IPA domain. A self-signed certificate is generated to sign the javascript.
2007-12-12 08:36:32 -06:00
def run_signtool(self, args, stdin=None):
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
if not self.self_signed_ca:
f = open(self.passwd_fname, "r")
password = f.readline()
f.close()
new_args = ["/usr/bin/signtool", "-d", self.secdir, "-p", password]
else:
new_args = ["/usr/bin/signtool", "-d", self.secdir]
Add automatic browser configuration for kerberos SSO using javascript. This uses the UniversalPreferencesWrite function to set the browser preferences to allow negotiation and ticket forwarding in the IPA domain. A self-signed certificate is generated to sign the javascript.
2007-12-12 08:36:32 -06:00
new_args = new_args + args
ipautil.run(new_args, stdin)
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
def create_noise_file(self):
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
if ipautil.file_exists(self.noise_fname):
os.remove(self.noise_fname)
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
f = open(self.noise_fname, "w")
f.write(self.gen_password())
self.set_perms(self.noise_fname)
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
def create_passwd_file(self, passwd=None):
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
ipautil.backup_file(self.passwd_fname)
f = open(self.passwd_fname, "w")
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
if passwd is not None:
f.write("%s\n" % passwd)
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
else:
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
f.write(self.gen_password())
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
f.close()
self.set_perms(self.passwd_fname)
def create_certdbs(self):
ipautil.backup_file(self.certdb_fname)
ipautil.backup_file(self.keydb_fname)
Commit corrected certs.py
0000-12-31 18:09:24 -05:50
ipautil.backup_file(self.secmod_fname)
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
self.run_certutil(["-N",
"-f", self.passwd_fname])
self.set_perms(self.passwd_fname, write=True)
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
def list_certs(self):
"""
Return a tuple of tuples containing (nickname, trust)
"""
p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir,
"-L"], stdout=subprocess.PIPE)
certs = p.stdout.read()
certs = certs.split("\n")
# FIXME, this relies on NSS never changing the formatting of certutil
certlist = []
for cert in certs:
nickname = cert[0:61]
trust = cert[61:]
if re.match(r'\w+,\w+,\w+', trust):
certlist.append((nickname.strip(), trust))
return tuple(certlist)
def has_nickname(self, nickname):
"""
Returns True if nickname exists in the certdb, False otherwise.
This could also be done directly with:
certutil -L -d -n <nickname> ...
"""
certs = self.list_certs()
for cert in certs:
if nickname == cert[0]:
return True
return False
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
def create_ca_cert(self):
Don't assume local directory is valid or writable. certutil writes to the local directory when issuing a certificate. Change to the security database directory when issuing the self-signed CA. Also handle the case where a user is in a non-existent directory when doing the install.
2010-02-03 16:40:18 -06:00
os.chdir(self.secdir)
Use Realm as certs subject base name Also use the realm name as nickname for the CA certificate
2010-11-01 12:51:14 -05:00
subject = "cn=%s Certificate Authority" % self.realm
Add the CA constraint to the self-signed CA we generate 514027
2009-08-27 15:48:02 -05:00
p = subprocess.Popen(["/usr/bin/certutil",
"-d", self.secdir,
"-S", "-n", self.cacert_name,
Use Realm as certs subject base name Also use the realm name as nickname for the CA certificate
2010-11-01 12:51:14 -05:00
"-s", subject,
Add the CA constraint to the self-signed CA we generate 514027
2009-08-27 15:48:02 -05:00
"-x",
"-t", "CT,,C",
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
"-1",
Add the CA constraint to the self-signed CA we generate 514027
2009-08-27 15:48:02 -05:00
"-2",
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
"-5",
"-m", next_serial(),
Add the CA constraint to the self-signed CA we generate 514027
2009-08-27 15:48:02 -05:00
"-v", self.valid_months,
"-z", self.noise_fname,
"-f", self.passwd_fname],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
# Create key usage extension
# 0 - Digital Signature
# 1 - Non-repudiation
# 5 - Cert signing key
# Is this a critical extension [y/N]? y
p.stdin.write("0\n1\n5\n9\ny\n")
# Create basic constraint extension
Add the CA constraint to the self-signed CA we generate 514027
2009-08-27 15:48:02 -05:00
# Is this a CA certificate [y/N]? y
# Enter the path length constraint, enter to skip [<0 for unlimited pat
# Is this a critical extension [y/N]? y
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
# 5 6 7 9 n -> SSL, S/MIME, Object signing CA
p.stdin.write("y\n\ny\n")
p.stdin.write("5\n6\n7\n9\nn\n")
Add the CA constraint to the self-signed CA we generate 514027
2009-08-27 15:48:02 -05:00
p.wait()
Don't assume local directory is valid or writable. certutil writes to the local directory when issuing a certificate. Change to the security database directory when issuing the self-signed CA. Also handle the case where a user is in a non-existent directory when doing the install.
2010-02-03 16:40:18 -06:00
os.chdir(self.cwd)
Commit corrected certs.py
0000-12-31 18:09:24 -05:50
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
def export_ca_cert(self, nickname, create_pkcs12=False):
Don't create a backup of the PKCS#12 cert on replicas Name the file created by ipa-replica-prepare after the FQDN of the target Resolves 432904
2008-02-14 19:39:06 -06:00
"""create_pkcs12 tells us whether we should create a PKCS#12 file
of the CA or not. If we are running on a replica then we won't
have the private key to make a PKCS#12 file so we don't need to
do that step."""
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
# export the CA cert for use with other apps
ipautil.backup_file(self.cacert_fname)
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
root_nicknames = self.find_root_cert(nickname)
fd = open(self.cacert_fname, "w")
for root in root_nicknames:
Add option to have ipautil.run() not raise an exception There are times where a caller will want to determine the course of action based on the returncode instead of relying on it != 0. This also lets the caller get the contents of stdout and stderr.
2009-11-30 14:28:09 -06:00
(cert, stderr, returncode) = self.run_certutil(["-L", "-n", root, "-a"])
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
fd.write(cert)
fd.close()
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
os.chmod(self.cacert_fname, stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH)
Don't create a backup of the PKCS#12 cert on replicas Name the file created by ipa-replica-prepare after the FQDN of the target Resolves 432904
2008-02-14 19:39:06 -06:00
if create_pkcs12:
ipautil.backup_file(self.pk12_fname)
ipautil.run(["/usr/bin/pk12util", "-d", self.secdir,
"-o", self.pk12_fname,
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
"-n", self.cacert_name,
Don't create a backup of the PKCS#12 cert on replicas Name the file created by ipa-replica-prepare after the FQDN of the target Resolves 432904
2008-02-14 19:39:06 -06:00
"-w", self.passwd_fname,
"-k", self.passwd_fname])
self.set_perms(self.pk12_fname)
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
def load_cacert(self, cacert_fname):
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
"""
Load all the certificates from a given file. It is assumed that
this file creates CA certificates.
"""
fd = open(cacert_fname)
certs = fd.read()
fd.close()
Clean up existing DN object usage
2011-07-28 13:32:26 -05:00
ca_dn = DN(('CN','Certificate Authority'), self.subject_base)
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
st = 0
while True:
try:
(cert, st) = find_cert_from_txt(certs, st)
Clean up existing DN object usage
2011-07-28 13:32:26 -05:00
(rdn, subject_dn) = get_cert_nickname(cert)
if subject_dn == ca_dn:
Use information from the certificate subject when setting the NSS nickname. There were a few places in the code where certs were loaded from a PKCS#7 file or a chain in a PEM file. The certificates got very generic nicknames. We can instead pull the subject from the certificate and use that as the nickname. https://fedorahosted.org/freeipa/ticket/1141
2011-07-11 16:39:30 -05:00
nick = get_ca_nickname(self.realm)
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
else:
Clean up existing DN object usage
2011-07-28 13:32:26 -05:00
nick = str(subject_dn)
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
self.run_certutil(["-A", "-n", nick,
"-t", "CT,,C",
"-a"],
stdin=cert)
except RuntimeError:
break
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
Make data type of certificates more obvious/predictable internally. For the most part certificates will be treated as being in DER format. When we load a certificate we will generally accept it in any format but will convert it to DER before proceeding in normalize_certificate(). This also re-arranges a bit of code to pull some certificate-specific functions out of ipalib/plugins/service.py into ipalib/x509.py. This also tries to use variable names to indicate what format the certificate is in at any given point: dercert: DER cert: PEM nsscert: a python-nss Certificate object rawcert: unknown format ticket 32
2011-06-08 09:54:41 -05:00
def get_cert_from_db(self, nickname, pem=True):
"""
Retrieve a certificate from the current NSS database for nickname.
pem controls whether the value returned PEM or DER-encoded. The
default is the data straight from certutil -a.
"""
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
try:
args = ["-L", "-n", nickname, "-a"]
Add option to have ipautil.run() not raise an exception There are times where a caller will want to determine the course of action based on the returncode instead of relying on it != 0. This also lets the caller get the contents of stdout and stderr.
2009-11-30 14:28:09 -06:00
(cert, err, returncode) = self.run_certutil(args)
Make data type of certificates more obvious/predictable internally. For the most part certificates will be treated as being in DER format. When we load a certificate we will generally accept it in any format but will convert it to DER before proceeding in normalize_certificate(). This also re-arranges a bit of code to pull some certificate-specific functions out of ipalib/plugins/service.py into ipalib/x509.py. This also tries to use variable names to indicate what format the certificate is in at any given point: dercert: DER cert: PEM nsscert: a python-nss Certificate object rawcert: unknown format ticket 32
2011-06-08 09:54:41 -05:00
if pem:
return cert
else:
(cert, start) = find_cert_from_txt(cert, start=0)
Make dogtag an optional (and default un-) installed component in a replica. A dogtag replica file is created as usual. When the replica is installed dogtag is optional and not installed by default. Adding the --setup-ca option will configure it when the replica is installed. A new tool ipa-ca-install will configure dogtag if it wasn't configured when the replica was initially installed. This moves a fair bit of code out of ipa-replica-install into installutils and cainstance to avoid duplication. https://fedorahosted.org/freeipa/ticket/1251
2011-06-17 15:47:39 -05:00
cert = x509.strip_header(cert)
Make data type of certificates more obvious/predictable internally. For the most part certificates will be treated as being in DER format. When we load a certificate we will generally accept it in any format but will convert it to DER before proceeding in normalize_certificate(). This also re-arranges a bit of code to pull some certificate-specific functions out of ipalib/plugins/service.py into ipalib/x509.py. This also tries to use variable names to indicate what format the certificate is in at any given point: dercert: DER cert: PEM nsscert: a python-nss Certificate object rawcert: unknown format ticket 32
2011-06-08 09:54:41 -05:00
dercert = base64.b64decode(cert)
return dercert
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
except ipautil.CalledProcessError:
return ''
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
def find_cacert_serial(self):
Add option to have ipautil.run() not raise an exception There are times where a caller will want to determine the course of action based on the returncode instead of relying on it != 0. This also lets the caller get the contents of stdout and stderr.
2009-11-30 14:28:09 -06:00
(out, err, returncode) = self.run_certutil(["-L", "-n", self.cacert_name])
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
data = out.split('\n')
for line in data:
x = re.match(r'\s+Serial Number: (\d+) .*', line)
if x is not None:
return x.group(1)
raise RuntimeError("Unable to find serial number")
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
Have certmonger track the initial Apache and 389-ds server certs. We don't use certmonger to get certificates during installation because of the chicken-and-egg problem. This means that the IPA web and ldap certs aren't being tracked for renewal. This requires some manual changes to the certmonger request files once tracking has begun because it doesn't store a subject or principal template when a cert is added via start-tracking. This also required some changes to the cert command plugin to allow a host to execute calls against its own service certs. ticket 67
2010-09-08 21:11:31 -05:00
def track_server_cert(self, nickname, principal, password_file=None):
"""
Tell certmonger to track the given certificate nickname.
"""
service.chkconfig_on("certmonger")
service.start("certmonger")
try:
Fix certmonger errors when doing a client or server uninstall. This started with the client uninstaller returning a 1 when not installed. There was no way to tell whether the uninstall failed or the client simply wasn't installed which caused no end of grief with the installer. This led to a lot of certmonger failures too, either trying to stop tracking a non-existent cert or not handling an existing tracked certificate. I moved the certmonger code out of the installer and put it into the client/server shared ipapython lib. It now tries a lot harder and smarter to untrack a certificate. ticket 142
2010-08-31 16:21:25 -05:00
(stdout, stderr, rc) = certmonger.start_tracking(nickname, self.secdir, password_file)
except (ipautil.CalledProcessError, RuntimeError), e:
logging.error("certmonger failed starting to track certificate: %s" % str(e))
return
Have certmonger track the initial Apache and 389-ds server certs. We don't use certmonger to get certificates during installation because of the chicken-and-egg problem. This means that the IPA web and ldap certs aren't being tracked for renewal. This requires some manual changes to the certmonger request files once tracking has begun because it doesn't store a subject or principal template when a cert is added via start-tracking. This also required some changes to the cert command plugin to allow a host to execute calls against its own service certs. ticket 67
2010-09-08 21:11:31 -05:00
service.stop("certmonger")
cert = self.get_cert_from_db(nickname)
Make dogtag an optional (and default un-) installed component in a replica. A dogtag replica file is created as usual. When the replica is installed dogtag is optional and not installed by default. Adding the --setup-ca option will configure it when the replica is installed. A new tool ipa-ca-install will configure dogtag if it wasn't configured when the replica was initially installed. This moves a fair bit of code out of ipa-replica-install into installutils and cainstance to avoid duplication. https://fedorahosted.org/freeipa/ticket/1251
2011-06-17 15:47:39 -05:00
nsscert = x509.load_certificate(cert, dbdir=self.secdir)
subject = str(nsscert.subject)
Have certmonger track the initial Apache and 389-ds server certs. We don't use certmonger to get certificates during installation because of the chicken-and-egg problem. This means that the IPA web and ldap certs aren't being tracked for renewal. This requires some manual changes to the certmonger request files once tracking has begun because it doesn't store a subject or principal template when a cert is added via start-tracking. This also required some changes to the cert command plugin to allow a host to execute calls against its own service certs. ticket 67
2010-09-08 21:11:31 -05:00
m = re.match('New tracking request "(\d+)" added', stdout)
Fix certmonger errors when doing a client or server uninstall. This started with the client uninstaller returning a 1 when not installed. There was no way to tell whether the uninstall failed or the client simply wasn't installed which caused no end of grief with the installer. This led to a lot of certmonger failures too, either trying to stop tracking a non-existent cert or not handling an existing tracked certificate. I moved the certmonger code out of the installer and put it into the client/server shared ipapython lib. It now tries a lot harder and smarter to untrack a certificate. ticket 142
2010-08-31 16:21:25 -05:00
if not m:
logging.error('Didn\'t get new certmonger request, got %s' % stdout)
raise RuntimeError('certmonger did not issue new tracking request for \'%s\' in \'%s\'. Use \'ipa-getcert list\' to list existing certificates.' % (nickname, self.secdir))
Have certmonger track the initial Apache and 389-ds server certs. We don't use certmonger to get certificates during installation because of the chicken-and-egg problem. This means that the IPA web and ldap certs aren't being tracked for renewal. This requires some manual changes to the certmonger request files once tracking has begun because it doesn't store a subject or principal template when a cert is added via start-tracking. This also required some changes to the cert command plugin to allow a host to execute calls against its own service certs. ticket 67
2010-09-08 21:11:31 -05:00
request_id = m.group(1)
certmonger.add_principal(request_id, principal)
certmonger.add_subject(request_id, subject)
service.start("certmonger")
def untrack_server_cert(self, nickname):
"""
Tell certmonger to stop tracking the given certificate nickname.
"""
# Always start certmonger. We can't untrack something if it isn't
# running
service.start("certmonger")
try:
Fix certmonger errors when doing a client or server uninstall. This started with the client uninstaller returning a 1 when not installed. There was no way to tell whether the uninstall failed or the client simply wasn't installed which caused no end of grief with the installer. This led to a lot of certmonger failures too, either trying to stop tracking a non-existent cert or not handling an existing tracked certificate. I moved the certmonger code out of the installer and put it into the client/server shared ipapython lib. It now tries a lot harder and smarter to untrack a certificate. ticket 142
2010-08-31 16:21:25 -05:00
certmonger.stop_tracking(self.secdir, nickname=nickname)
except (ipautil.CalledProcessError, RuntimeError), e:
logging.error("certmonger failed to stop tracking certificate: %s" % str(e))
Have certmonger track the initial Apache and 389-ds server certs. We don't use certmonger to get certificates during installation because of the chicken-and-egg problem. This means that the IPA web and ldap certs aren't being tracked for renewal. This requires some manual changes to the certmonger request files once tracking has begun because it doesn't store a subject or principal template when a cert is added via start-tracking. This also required some changes to the cert command plugin to allow a host to execute calls against its own service certs. ticket 67
2010-09-08 21:11:31 -05:00
service.stop("certmonger")
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
def create_server_cert(self, nickname, hostname, other_certdb=None, subject=None):
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
"""
other_certdb can mean one of two things, depending on the context.
If we are using a self-signed CA then other_certdb contains the
CA that will be signing our CSR.
If we are using a dogtag CA then it contains the RA agent key
that will issue our cert.
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
You can override the certificate Subject by specifying a subject.
Make data type of certificates more obvious/predictable internally. For the most part certificates will be treated as being in DER format. When we load a certificate we will generally accept it in any format but will convert it to DER before proceeding in normalize_certificate(). This also re-arranges a bit of code to pull some certificate-specific functions out of ipalib/plugins/service.py into ipalib/x509.py. This also tries to use variable names to indicate what format the certificate is in at any given point: dercert: DER cert: PEM nsscert: a python-nss Certificate object rawcert: unknown format ticket 32
2011-06-08 09:54:41 -05:00
Returns a certificate in DER format.
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
"""
Commit corrected certs.py
0000-12-31 18:09:24 -05:50
cdb = other_certdb
if not cdb:
cdb = self
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
if subject is None:
subject=self.subject_format % hostname
Have certmonger track the initial Apache and 389-ds server certs. We don't use certmonger to get certificates during installation because of the chicken-and-egg problem. This means that the IPA web and ldap certs aren't being tracked for renewal. This requires some manual changes to the certmonger request files once tracking has begun because it doesn't store a subject or principal template when a cert is added via start-tracking. This also required some changes to the cert command plugin to allow a host to execute calls against its own service certs. ticket 67
2010-09-08 21:11:31 -05:00
self.request_cert(subject)
Add automatic browser configuration for kerberos SSO using javascript. This uses the UniversalPreferencesWrite function to set the browser preferences to allow negotiation and ticket forwarding in the IPA domain. A self-signed certificate is generated to sign the javascript.
2007-12-12 08:36:32 -06:00
cdb.issue_server_cert(self.certreq_fname, self.certder_fname)
self.add_cert(self.certder_fname, nickname)
Make the IPA server host and its services "real" IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
2009-12-07 22:17:00 -06:00
fd = open(self.certder_fname, "r")
dercert = fd.read()
fd.close()
Add automatic browser configuration for kerberos SSO using javascript. This uses the UniversalPreferencesWrite function to set the browser preferences to allow negotiation and ticket forwarding in the IPA domain. A self-signed certificate is generated to sign the javascript.
2007-12-12 08:36:32 -06:00
os.unlink(self.certreq_fname)
os.unlink(self.certder_fname)
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
Make the IPA server host and its services "real" IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.
2009-12-07 22:17:00 -06:00
return dercert
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
def create_signing_cert(self, nickname, hostname, other_certdb=None, subject=None):
Add automatic browser configuration for kerberos SSO using javascript. This uses the UniversalPreferencesWrite function to set the browser preferences to allow negotiation and ticket forwarding in the IPA domain. A self-signed certificate is generated to sign the javascript.
2007-12-12 08:36:32 -06:00
cdb = other_certdb
if not cdb:
cdb = self
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
if subject is None:
subject=self.subject_format % hostname
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
self.request_cert(subject)
Add automatic browser configuration for kerberos SSO using javascript. This uses the UniversalPreferencesWrite function to set the browser preferences to allow negotiation and ticket forwarding in the IPA domain. A self-signed certificate is generated to sign the javascript.
2007-12-12 08:36:32 -06:00
cdb.issue_signing_cert(self.certreq_fname, self.certder_fname)
Commit corrected certs.py
0000-12-31 18:09:24 -05:50
self.add_cert(self.certder_fname, nickname)
os.unlink(self.certreq_fname)
os.unlink(self.certder_fname)
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
def request_cert(self, subject, certtype="rsa", keysize="2048"):
self.create_noise_file()
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
self.setup_cert_request()
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
args = ["-R", "-s", subject,
"-o", self.certreq_fname,
"-k", certtype,
"-g", keysize,
"-z", self.noise_fname,
"-f", self.passwd_fname]
if not self.self_signed_ca:
args.append("-a")
Add option to have ipautil.run() not raise an exception There are times where a caller will want to determine the course of action based on the returncode instead of relying on it != 0. This also lets the caller get the contents of stdout and stderr.
2009-11-30 14:28:09 -06:00
(stdout, stderr, returncode) = self.run_certutil(args)
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
os.remove(self.noise_fname)
return (stdout, stderr)
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
Add automatic browser configuration for kerberos SSO using javascript. This uses the UniversalPreferencesWrite function to set the browser preferences to allow negotiation and ticket forwarding in the IPA domain. A self-signed certificate is generated to sign the javascript.
2007-12-12 08:36:32 -06:00
def issue_server_cert(self, certreq_fname, cert_fname):
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
self.setup_cert_request()
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
if self.self_signed_ca:
p = subprocess.Popen(["/usr/bin/certutil",
"-d", self.secdir,
"-C", "-c", self.cacert_name,
"-i", certreq_fname,
"-o", cert_fname,
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
"-m", next_serial(),
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
"-v", self.valid_months,
"-f", self.passwd_fname,
"-1", "-5"],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE)
# Bah - this sucks, but I guess it isn't possible to fully
# control this with command line arguments.
#
# What this is requesting is:
# -1 (Create key usage extension)
# 2 - Key encipherment
# 9 - done
# n - not critical
#
# -5 (Create netscape cert type extension)
# 1 - SSL Server
# 9 - done
# n - not critical
p.stdin.write("2\n9\nn\n1\n9\nn\n")
p.wait()
else:
if self.host_name is None:
raise RuntimeError("CA Host is not set.")
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
f = open(certreq_fname, "r")
csr = f.readlines()
f.close()
csr = "".join(csr)
# We just want the CSR bits, make sure there is nothing else
Handle CSRs whether they have NEW in the header or not Also consolidate some duplicate code
2010-05-03 16:38:39 -05:00
csr = pkcs10.strip_header(csr)
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
Move the HTTP/S request code to a common library This moves code that does HTTP and HTTPS requests into a common library that can be used by both the installer and the dogtag plugin. These functions are not generic HTTP/S clients, they are designed specifically to talk to dogtag, so use accordingly.
2010-02-02 21:52:11 -06:00
params = {'profileId': 'caRAserverCert',
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
'cert_request_type': 'pkcs10',
'requestor_name': 'IPA Installer',
'cert_request': csr,
Move the HTTP/S request code to a common library This moves code that does HTTP and HTTPS requests into a common library that can be used by both the installer and the dogtag plugin. These functions are not generic HTTP/S clients, they are designed specifically to talk to dogtag, so use accordingly.
2010-02-02 21:52:11 -06:00
'xmlOutput': 'true'}
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
# Send the request to the CA
f = open(self.passwd_fname, "r")
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
password = f.readline()
f.close()
Move the HTTP/S request code to a common library This moves code that does HTTP and HTTPS requests into a common library that can be used by both the installer and the dogtag plugin. These functions are not generic HTTP/S clients, they are designed specifically to talk to dogtag, so use accordingly.
2010-02-02 21:52:11 -06:00
http_status, http_reason_phrase, http_headers, http_body = \
Remove older MITM fixes to make compatible with dogtag 1.3.3 We set a new port to be used with dogtag but IPA doesn't utilize it. This also changes the way we determine which security database to use. Rather than using whether api.env.home is set use api.env.in_tree.
2010-03-30 14:27:28 -05:00
dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
Move the HTTP/S request code to a common library This moves code that does HTTP and HTTPS requests into a common library that can be used by both the installer and the dogtag plugin. These functions are not generic HTTP/S clients, they are designed specifically to talk to dogtag, so use accordingly.
2010-02-02 21:52:11 -06:00
if http_status != 200:
Fix assorted bugs found by pylint
2011-01-25 11:46:26 -06:00
raise CertificateOperationError(error='Unable to communicate with CMS (%s)' % \
Move the HTTP/S request code to a common library This moves code that does HTTP and HTTPS requests into a common library that can be used by both the installer and the dogtag plugin. These functions are not generic HTTP/S clients, they are designed specifically to talk to dogtag, so use accordingly.
2010-02-02 21:52:11 -06:00
http_reason_phrase)
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
# The result is an XML blob. Pull the certificate out of that
Move the HTTP/S request code to a common library This moves code that does HTTP and HTTPS requests into a common library that can be used by both the installer and the dogtag plugin. These functions are not generic HTTP/S clients, they are designed specifically to talk to dogtag, so use accordingly.
2010-02-02 21:52:11 -06:00
doc = xml.dom.minidom.parseString(http_body)
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
item_node = doc.getElementsByTagName("b64")
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
try:
try:
cert = item_node[0].childNodes[0].data
except IndexError:
raise RuntimeError("Certificate issuance failed")
finally:
doc.unlink()
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
Be more careful when base64-decoding certificates Only decode certs that have a BEGIN/END block, otherwise assume it is in DER format.
2010-02-01 13:00:28 -06:00
# base64-decode the result for uniformity
User-defined certificate subjects Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.
2010-01-20 10:26:20 -06:00
cert = base64.b64decode(cert)
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
# Write the certificate to a file. It will be imported in a later
Be more careful when base64-decoding certificates Only decode certs that have a BEGIN/END block, otherwise assume it is in DER format.
2010-02-01 13:00:28 -06:00
# step. This file will be read later to be imported.
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
f = open(cert_fname, "w")
f.write(cert)
f.close()
return
Add automatic browser configuration for kerberos SSO using javascript. This uses the UniversalPreferencesWrite function to set the browser preferences to allow negotiation and ticket forwarding in the IPA domain. A self-signed certificate is generated to sign the javascript.
2007-12-12 08:36:32 -06:00
def issue_signing_cert(self, certreq_fname, cert_fname):
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
self.setup_cert_request()
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
if self.self_signed_ca:
p = subprocess.Popen(["/usr/bin/certutil",
"-d", self.secdir,
"-C", "-c", self.cacert_name,
"-i", certreq_fname,
"-o", cert_fname,
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
"-m", next_serial(),
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
"-v", self.valid_months,
"-f", self.passwd_fname,
"-1", "-5"],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE)
# Bah - this sucks, but I guess it isn't possible to fully
# control this with command line arguments.
#
# What this is requesting is:
# -1 (Create key usage extension)
# 0 - Digital Signature
# 5 - Cert signing key
# 9 - done
# n - not critical
#
# -5 (Create netscape cert type extension)
# 3 - Object Signing
# 9 - done
# n - not critical
p.stdin.write("0\n5\n9\nn\n3\n9\nn\n")
p.wait()
else:
if self.host_name is None:
raise RuntimeError("CA Host is not set.")
f = open(certreq_fname, "r")
csr = f.readlines()
f.close()
csr = "".join(csr)
# We just want the CSR bits, make sure there is no thing else
Handle CSRs whether they have NEW in the header or not Also consolidate some duplicate code
2010-05-03 16:38:39 -05:00
csr = pkcs10.strip_header(csr)
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
Move the HTTP/S request code to a common library This moves code that does HTTP and HTTPS requests into a common library that can be used by both the installer and the dogtag plugin. These functions are not generic HTTP/S clients, they are designed specifically to talk to dogtag, so use accordingly.
2010-02-02 21:52:11 -06:00
params = {'profileId': 'caJarSigningCert',
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
'cert_request_type': 'pkcs10',
'requestor_name': 'IPA Installer',
'cert_request': csr,
Move the HTTP/S request code to a common library This moves code that does HTTP and HTTPS requests into a common library that can be used by both the installer and the dogtag plugin. These functions are not generic HTTP/S clients, they are designed specifically to talk to dogtag, so use accordingly.
2010-02-02 21:52:11 -06:00
'xmlOutput': 'true'}
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
# Send the request to the CA
f = open(self.passwd_fname, "r")
password = f.readline()
f.close()
Move the HTTP/S request code to a common library This moves code that does HTTP and HTTPS requests into a common library that can be used by both the installer and the dogtag plugin. These functions are not generic HTTP/S clients, they are designed specifically to talk to dogtag, so use accordingly.
2010-02-02 21:52:11 -06:00
http_status, http_reason_phrase, http_headers, http_body = \
Remove older MITM fixes to make compatible with dogtag 1.3.3 We set a new port to be used with dogtag but IPA doesn't utilize it. This also changes the way we determine which security database to use. Rather than using whether api.env.home is set use api.env.in_tree.
2010-03-30 14:27:28 -05:00
dogtag.https_request(self.host_name, api.env.ca_ee_port, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params)
Move the HTTP/S request code to a common library This moves code that does HTTP and HTTPS requests into a common library that can be used by both the installer and the dogtag plugin. These functions are not generic HTTP/S clients, they are designed specifically to talk to dogtag, so use accordingly.
2010-02-02 21:52:11 -06:00
if http_status != 200:
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
raise RuntimeError("Unable to submit cert request")
# The result is an XML blob. Pull the certificate out of that
Move the HTTP/S request code to a common library This moves code that does HTTP and HTTPS requests into a common library that can be used by both the installer and the dogtag plugin. These functions are not generic HTTP/S clients, they are designed specifically to talk to dogtag, so use accordingly.
2010-02-02 21:52:11 -06:00
doc = xml.dom.minidom.parseString(http_body)
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
item_node = doc.getElementsByTagName("b64")
cert = item_node[0].childNodes[0].data
doc.unlink()
Be more careful when base64-decoding certificates Only decode certs that have a BEGIN/END block, otherwise assume it is in DER format.
2010-02-01 13:00:28 -06:00
# base64-decode the cert for uniformity
User-defined certificate subjects Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.
2010-01-20 10:26:20 -06:00
cert = base64.b64decode(cert)
Be more careful when base64-decoding certificates Only decode certs that have a BEGIN/END block, otherwise assume it is in DER format.
2010-02-01 13:00:28 -06:00
# Write the certificate to a file. It will be imported in a later
# step. This file will be read later to be imported.
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
f = open(cert_fname, "w")
f.write(cert)
f.close()
return
Add automatic browser configuration for kerberos SSO using javascript. This uses the UniversalPreferencesWrite function to set the browser preferences to allow negotiation and ticket forwarding in the IPA domain. A self-signed certificate is generated to sign the javascript.
2007-12-12 08:36:32 -06:00
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
def add_cert(self, cert_fname, nickname):
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
"""
Load a certificate from a PEM file and add minimal trust.
"""
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
args = ["-A", "-n", nickname,
"-t", "u,u,u",
"-i", cert_fname,
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
"-f", self.passwd_fname]
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
self.run_certutil(args)
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
def create_pin_file(self):
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
"""
This is the format of Directory Server pin files.
"""
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
ipautil.backup_file(self.pin_fname)
f = open(self.pin_fname, "w")
f.write("Internal (Software) Token:")
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
pwdfile = open(self.passwd_fname)
f.write(pwdfile.read())
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
f.close()
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
pwdfile.close()
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
self.set_perms(self.pin_fname)
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
def create_password_conf(self):
"""
This is the format of mod_nss pin files.
"""
ipautil.backup_file(self.pwd_conf)
f = open(self.pwd_conf, "w")
f.write("internal:")
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
pwdfile = open(self.passwd_fname)
f.write(pwdfile.read())
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
f.close()
Add signing profile to CA installation so we can sign the firefox jar file. Use the requestId we get back from the CA when requesting the RA agent cert and use that to issue the certificate rather than hardcoding 7. This also adds some clean-up of file permissions and leaking fds
2009-04-17 16:17:31 -05:00
pwdfile.close()
self.set_perms(self.pwd_conf, uid="apache")
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
def find_root_cert(self, nickname):
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
"""
Given a nickname, return a list of the certificates that make up
the trust chain.
"""
root_nicknames = []
User provided certs.
0000-12-31 18:09:24 -05:50
p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir,
"-O", "-n", nickname], stdout=subprocess.PIPE)
chain = p.stdout.read()
chain = chain.split("\n")
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
for c in chain:
m = re.match('\s*"(.*)" \[.*', c)
if m:
root_nicknames.append(m.groups()[0])
if len(root_nicknames) > 1:
# If you pass in the name of a CA to get the chain it may only
# return 1 (self-signed). Return that.
try:
root_nicknames.remove(nickname)
except ValueError:
# The nickname wasn't in the list
pass
No need to trust NSS built-in CA's, more specific regex for finding CA nickname - Add some logging so we have a better idea of what happened if things fail - Default to self-signed CA to trust if one is not found. This will fix the self-signed CA case where certutil doesn't return untrusted CA's in -O output. - Remove unused httplib import Signed-off-by: Jason Gerard DeRose <jderose@redhat.com>
2009-07-23 11:16:56 -05:00
# Try to work around a change in the F-11 certutil where untrusted
# CA's are not shown in the chain. This will make a default IPA
# server installable.
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
if len(root_nicknames) == 0 and self.self_signed_ca:
return [self.cacert_name]
User provided certs.
0000-12-31 18:09:24 -05:50
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
return root_nicknames
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
Fixed whitespace indentation error in certs.py
2009-07-27 20:23:31 -05:00
def find_root_cert_from_pkcs12(self, pkcs12_fname, passwd_fname=None):
"""Given a PKCS#12 file, try to find any certificates that do
not have a key. The assumption is that these are the root CAs.
"""
args = ["/usr/bin/pk12util", "-d", self.secdir,
"-l", pkcs12_fname,
"-k", passwd_fname]
if passwd_fname:
args = args + ["-w", passwd_fname]
try:
Add option to have ipautil.run() not raise an exception There are times where a caller will want to determine the course of action based on the returncode instead of relying on it != 0. This also lets the caller get the contents of stdout and stderr.
2009-11-30 14:28:09 -06:00
(stdout, stderr, returncode) = ipautil.run(args)
Fixed whitespace indentation error in certs.py
2009-07-27 20:23:31 -05:00
except ipautil.CalledProcessError, e:
if e.returncode == 17:
raise RuntimeError("incorrect password")
else:
raise RuntimeError("unknown error using pkcs#12 file")
lines = stdout.split('\n')
# A simple state machine.
# 1 = looking for "Certificate:"
# 2 = looking for the Friendly name (nickname)
nicknames = []
state = 1
for line in lines:
if state == 2:
m = re.match("\W+Friendly Name: (.*)", line)
if m:
nicknames.append( m.groups(0)[0])
state = 1
if line == "Certificate:":
state = 2
return nicknames
Identify CAs to trust from an imported PKCS#12 file We used to use certutil -O to determine the cert chain to trust. This behavior changed in F-11 such that untrusted CAs are not displayed. This is only used when we import PKCS#12 files so use pk12util -l to display the list of certs and keys in the file to determine the nickname(s) of the CAs to trust. 509111
2009-07-24 08:29:33 -05:00
def trust_root_cert(self, root_nickname):
No need to trust NSS built-in CA's, more specific regex for finding CA nickname - Add some logging so we have a better idea of what happened if things fail - Default to self-signed CA to trust if one is not found. This will fix the self-signed CA case where certutil doesn't return untrusted CA's in -O output. - Remove unused httplib import Signed-off-by: Jason Gerard DeRose <jderose@redhat.com>
2009-07-23 11:16:56 -05:00
if root_nickname is None:
logging.debug("Unable to identify root certificate to trust. Continueing but things are likely to fail.")
return
if root_nickname[:7] == "Builtin":
logging.debug("No need to add trust for built-in root CA's, skipping %s" % root_nickname)
else:
Don't let failure to trust the CA abort the server installation. This error could result in things not working properly but it should be relatively easy to fix from the command-line. There is no point in not installing at all due to this.
2010-04-01 13:18:49 -05:00
try:
self.run_certutil(["-M", "-n", root_nickname,
"-t", "CT,CT,"])
except ipautil.CalledProcessError, e:
logging.error("Setting trust on %s failed" % root_nickname)
User provided certs.
0000-12-31 18:09:24 -05:50
def find_server_certs(self):
p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir,
"-L"], stdout=subprocess.PIPE)
certs = p.stdout.read()
certs = certs.split("\n")
server_certs = []
for cert in certs:
fields = cert.split()
if not len(fields):
continue
flags = fields[-1]
if 'u' in flags:
name = " ".join(fields[0:-1])
NSS 3.12 added a header to the certutil output we need to skip 456694
2008-07-25 16:06:51 -05:00
# NSS 3.12 added a header to the certutil output
if name == "Certificate Nickname Trust":
continue
User provided certs.
0000-12-31 18:09:24 -05:50
server_certs.append((name, flags))
return server_certs
Convert replication to use the new cert infrastructure and correctly issue certs from the same authority. Also remove support for read-only replicas since that work will not be finished and tested for 1.0.
0000-12-31 18:09:24 -05:50
def import_pkcs12(self, pkcs12_fname, passwd_fname=None):
args = ["/usr/bin/pk12util", "-d", self.secdir,
"-i", pkcs12_fname,
"-k", self.passwd_fname]
if passwd_fname:
args = args + ["-w", passwd_fname]
User provided certs.
0000-12-31 18:09:24 -05:50
try:
Convert replication to use the new cert infrastructure and correctly issue certs from the same authority. Also remove support for read-only replicas since that work will not be finished and tested for 1.0.
0000-12-31 18:09:24 -05:50
ipautil.run(args)
User provided certs.
0000-12-31 18:09:24 -05:50
except ipautil.CalledProcessError, e:
if e.returncode == 17:
raise RuntimeError("incorrect password")
else:
raise RuntimeError("unknown error import pkcs#12 file")
Use Realm as certs subject base name Also use the realm name as nickname for the CA certificate
2010-11-01 12:51:14 -05:00
def export_pkcs12(self, pkcs12_fname, pkcs12_pwd_fname, nickname=None):
if nickname is None:
nickname = get_ca_nickname(api.env.realm)
Convert replication to use the new cert infrastructure and correctly issue certs from the same authority. Also remove support for read-only replicas since that work will not be finished and tested for 1.0.
0000-12-31 18:09:24 -05:50
ipautil.run(["/usr/bin/pk12util", "-d", self.secdir,
"-o", pkcs12_fname,
"-n", nickname,
"-k", self.passwd_fname,
"-w", pkcs12_pwd_fname])
pkinit-replica: create certificates for replicas too altough the kdc certificate name is not tied to the fqdn we create separate certs for each KDC so that renewal of each of them is done separately.
2010-11-03 17:17:36 -05:00
def export_pem_p12(self, pkcs12_fname, pkcs12_pwd_fname,
nickname, pem_fname):
ipautil.run(["/usr/bin/openssl", "pkcs12",
"-export", "-name", nickname,
"-in", pem_fname, "-out", pkcs12_fname,
"-passout", "file:" + pkcs12_pwd_fname])
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
def create_self_signed(self, passwd=None):
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
self.create_noise_file()
self.create_passwd_file(passwd)
self.create_certdbs()
self.create_ca_cert()
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
self.export_ca_cert(self.cacert_name, True)
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
self.create_pin_file()
Generate a database password by default in all cases. If the password passed in when creating a NSS certificate database is None then a random password is generated. If it is empty ('') then an empty password is set. Because of this the HTTP instance on replicas were created with an empty password. https://fedorahosted.org/freeipa/ticket/1407
2011-07-17 11:55:54 -05:00
def create_from_cacert(self, cacert_fname, passwd=None):
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
if ipautil.file_exists(self.certdb_fname):
# We already have a cert db, see if it is for the same CA.
# If it is we leave things as they are.
f = open(cacert_fname, "r")
newca = f.readlines()
f.close()
newca = "".join(newca)
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
(newca, st) = find_cert_from_txt(newca)
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
cacert = self.get_cert_from_db(self.cacert_name)
if cacert != '':
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
(cacert, st) = find_cert_from_txt(cacert)
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
if newca == cacert:
return
# The CA certificates are different or something went wrong. Start with
# a new certificate database.
Convert the setup of ssl from a shell script to a python module. This is in preparation for user supplied certs.
0000-12-31 18:09:24 -05:50
self.create_passwd_file(passwd)
self.create_certdbs()
self.load_cacert(cacert_fname)
Convert replication to use the new cert infrastructure and correctly issue certs from the same authority. Also remove support for read-only replicas since that work will not be finished and tested for 1.0.
0000-12-31 18:09:24 -05:50
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
def create_from_pkcs12(self, pkcs12_fname, pkcs12_pwd_fname, passwd=None):
"""Create a new NSS database using the certificates in a PKCS#12 file.
pkcs12_fname: the filename of the PKCS#12 file
pkcs12_pwd_fname: the file containing the pin for the PKCS#12 file
nickname: the nickname/friendly-name of the cert we are loading
passwd: The password to use for the new NSS database we are creating
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
The global CA may be added as well in case it wasn't included in the
PKCS#12 file. Extra certs won't hurt in any case.
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
"""
Convert replication to use the new cert infrastructure and correctly issue certs from the same authority. Also remove support for read-only replicas since that work will not be finished and tested for 1.0.
0000-12-31 18:09:24 -05:50
self.create_noise_file()
self.create_passwd_file(passwd)
self.create_certdbs()
self.import_pkcs12(pkcs12_fname, pkcs12_pwd_fname)
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
server_certs = self.find_server_certs()
if len(server_certs) == 0:
raise RuntimeError("Could not find a suitable server cert in import in %s" % pkcs12_fname)
# We only handle one server cert
nickname = server_certs[0][0]
Identify CAs to trust from an imported PKCS#12 file We used to use certutil -O to determine the cert chain to trust. This behavior changed in F-11 such that untrusted CAs are not displayed. This is only used when we import PKCS#12 files so use pk12util -l to display the list of certs and keys in the file to determine the nickname(s) of the CAs to trust. 509111
2009-07-24 08:29:33 -05:00
ca_names = self.find_root_cert_from_pkcs12(pkcs12_fname, pkcs12_pwd_fname)
if len(ca_names) == 0:
raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname)
self.cacert_name = ca_names[0]
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
for ca in ca_names:
self.trust_root_cert(ca)
Identify CAs to trust from an imported PKCS#12 file We used to use certutil -O to determine the cert chain to trust. This behavior changed in F-11 such that untrusted CAs are not displayed. This is only used when we import PKCS#12 files so use pk12util -l to display the list of certs and keys in the file to determine the nickname(s) of the CAs to trust. 509111
2009-07-24 08:29:33 -05:00
Convert replication to use the new cert infrastructure and correctly issue certs from the same authority. Also remove support for read-only replicas since that work will not be finished and tested for 1.0.
0000-12-31 18:09:24 -05:50
self.create_pin_file()
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
self.export_ca_cert(nickname, False)
Issue DS and Apache server certs during CA installation. Notes: - will create a CA instance (pki-ca) if it doesn't exist - maintains support for a self-signed CA - A signing cert is still not created so Firefox autoconfig still won't work
2009-04-13 12:39:15 -05:00
self.self_signed_ca=False
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
# This file implies that we have our own self-signed CA. Ensure
# that it no longer exists (from previous installs, for example).
try:
Move the self-signed CA serialno file to /var/lib/ipa to adhere to the FHS 455064
2008-07-24 13:34:43 -05:00
os.remove(CA_SERIALNO)
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
except:
pass
Backup system state in ipa-server-install This patch adds a sysrestore module which allows ipa-server-install code to backup any system state so that it can be restored again with e.g. ipa-server-install --uninstall. The idea is that any files ipa-server-install modifies gets backed up to /var/cache/ipa/sysrestore/ while any "meta" state, like whether a service is enabled with chkconfig, is saved to /var/cache/ipa/sysrestore.state. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-14 11:43:26 -06:00
Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage.
2010-10-29 15:23:21 -05:00
def create_kdc_cert(self, nickname, hostname, destdir):
"""Create a new certificate with the spcial othername encoding needed
by a KDC certificate.
nickname: the CN name set in the certificate
destdir: the location where cert and key are to be installed
destdir will contain kdc.pem if the operation is successful
"""
reqcfg = "kdc_req.conf"
extcfg = ipautil.SHARE_DIR + "kdc_extensions.template"
key_fname = destdir + "/kdckey.pem"
cert_fname = destdir + "/kdccert.pem"
key_cert_fname = destdir + "/kdc.pem"
# Setup the temp dir
self.setup_cert_request()
# Copy the CA password file because openssl apparently can't use
# the same file twice within the same command and throws an error
ca_pwd_file = self.reqdir + "pwdfile.txt"
shutil.copyfile(self.passwd_fname, ca_pwd_file)
# Extract the cacert.pem file used by openssl to sign the certs
ipautil.run(["/usr/bin/openssl", "pkcs12",
"-in", self.pk12_fname,
"-passin", "file:" + self.passwd_fname,
"-passout", "file:" + ca_pwd_file,
"-out", "cacert.pem"])
# Create the kdc key
ipautil.run(["/usr/bin/openssl", "genrsa",
"-out", key_fname, "2048"])
# Prepare a simple cert request
req_dict = dict(PASSWORD=self.gen_password(),
SUBJBASE=self.subject_base,
CERTNAME="CN="+nickname)
req_template = ipautil.SHARE_DIR + reqcfg + ".template"
conf = ipautil.template_file(req_template, req_dict)
fd = open(reqcfg, "w+")
fd.write(conf)
fd.close()
base = self.subject_base.replace(",", "/")
esc_subject = "CN=%s/%s" % (nickname, base)
ipautil.run(["/usr/bin/openssl", "req", "-new",
"-config", reqcfg,
"-subj", esc_subject,
"-key", key_fname,
"-out", "kdc.req"])
# Finally, sign the cert using the extensions file to set the
# special name
ipautil.run(["/usr/bin/openssl", "x509", "-req",
"-CA", "cacert.pem",
"-extfile", extcfg,
"-extensions", "kdc_cert",
"-passin", "file:" + ca_pwd_file,
"-set_serial", next_serial(),
"-in", "kdc.req",
"-out", cert_fname],
env = { 'REALM':self.realm, 'HOST_FQDN':hostname })
# Merge key and cert in a single file
fd = open(key_fname, "r")
key = fd.read()
fd.close()
fd = open(cert_fname, "r")
cert = fd.read()
fd.close()
fd = open(key_cert_fname, "w")
fd.write(key)
fd.write(cert)
fd.close()
os.unlink(key_fname)
os.unlink(cert_fname)
pkinit-replica: create certificates for replicas too altough the kdc certificate name is not tied to the fqdn we create separate certs for each KDC so that renewal of each of them is done separately.
2010-11-03 17:17:36 -05:00
def install_pem_from_p12(self, p12_fname, p12_pwd_fname, pem_fname):
ipautil.run(["/usr/bin/openssl", "pkcs12", "-nodes",
"-in", p12_fname, "-out", pem_fname,
"-passin", "file:" + p12_pwd_fname])
Backup system state in ipa-server-install This patch adds a sysrestore module which allows ipa-server-install code to backup any system state so that it can be restored again with e.g. ipa-server-install --uninstall. The idea is that any files ipa-server-install modifies gets backed up to /var/cache/ipa/sysrestore/ while any "meta" state, like whether a service is enabled with chkconfig, is saved to /var/cache/ipa/sysrestore.state. Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2008-01-14 11:43:26 -06:00
def backup_files(self):
Move sysrestore to ipa-python so it can be used by client scripts too. Change backup format so files are all in a single directory (no dir hierarchies) and use an index file so we can save also ownership and permission info for the restore (and eventually other data later on).
2008-03-27 18:01:38 -05:00
self.fstore.backup_file(self.noise_fname)
self.fstore.backup_file(self.passwd_fname)
self.fstore.backup_file(self.certdb_fname)
self.fstore.backup_file(self.keydb_fname)
self.fstore.backup_file(self.secmod_fname)
self.fstore.backup_file(self.cacert_fname)
self.fstore.backup_file(self.pk12_fname)
self.fstore.backup_file(self.pin_fname)
self.fstore.backup_file(self.certreq_fname)
self.fstore.backup_file(self.certder_fname)
Move Selfsigned CA creation out of dsinstance This allows us to have the CA ready to serve out certs for any operation even before the dsinstance is created. The CA is independent of the dsinstance anyway. Also fixes: https://fedorahosted.org/freeipa/ticket/544
2010-12-08 15:35:12 -06:00
def publish_ca_cert(self, location):
shutil.copy(self.cacert_fname, location)
os.chmod(location, 0444)
Reference in New Issue Copy Permalink