IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Track CA certificate using dogtag-ipa-ca-renew-agent.

Browse Source 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Jan Cholasta 2014-03-12 11:33:18 +01:00 committed by Petr Viktorin
parent 9393c3978e
commit 2f6990c256
2 changed files with 30 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
install/tools/ipa-upgradeconfig
View File

@ -627,7 +627,7 @@ def certificate_renewal_update(ca):
dogtag_constants = dogtag.configured_constants() dogtag_constants = dogtag.configured_constants()
# bump version when requests is changed # bump version when requests is changed
version = 1 version = 2
requests = ( requests = (
( (
dogtag_constants.ALIAS_DIR, dogtag_constants.ALIAS_DIR,
@ -635,6 +635,7 @@ def certificate_renewal_update(ca):
'dogtag-ipa-ca-renew-agent', 'dogtag-ipa-ca-renew-agent',
'stop_pkicad', 'stop_pkicad',
'renew_ca_cert', 'renew_ca_cert',
None,
), ),
( (
dogtag_constants.ALIAS_DIR, dogtag_constants.ALIAS_DIR,
@ -642,6 +643,7 @@ def certificate_renewal_update(ca):
'dogtag-ipa-ca-renew-agent', 'dogtag-ipa-ca-renew-agent',
'stop_pkicad', 'stop_pkicad',
'renew_ca_cert', 'renew_ca_cert',
None,
), ),
( (
dogtag_constants.ALIAS_DIR, dogtag_constants.ALIAS_DIR,
@ -649,6 +651,15 @@ def certificate_renewal_update(ca):
'dogtag-ipa-ca-renew-agent', 'dogtag-ipa-ca-renew-agent',
'stop_pkicad', 'stop_pkicad',
'renew_ca_cert', 'renew_ca_cert',
None,
),
(
dogtag_constants.ALIAS_DIR,
'caSigningCert cert-pki-ca',
'dogtag-ipa-ca-renew-agent',
'stop_pkicad',
'renew_ca_cert',
'ipaCACertRenewal',
), ),
( (
paths.HTTPD_ALIAS_DIR, paths.HTTPD_ALIAS_DIR,
@ -656,6 +667,7 @@ def certificate_renewal_update(ca):
'dogtag-ipa-ca-renew-agent', 'dogtag-ipa-ca-renew-agent',
None, None,
'renew_ra_cert', 'renew_ra_cert',
None,
), ),
( (
dogtag_constants.ALIAS_DIR, dogtag_constants.ALIAS_DIR,
@ -663,6 +675,7 @@ def certificate_renewal_update(ca):
'dogtag-ipa-renew-agent', 'dogtag-ipa-renew-agent',
None, None,
None, None,
None,
), ),
) )
@ -677,11 +690,13 @@ def certificate_renewal_update(ca):
return False return False
# State not set, lets see if we are already configured # State not set, lets see if we are already configured
for nss_dir, nickname, ca_name, pre_command, post_command in requests: for request in requests:
nss_dir, nickname, ca_name, pre_command, post_command, profile = request
criteria = ( criteria = (
('cert_storage_location', nss_dir, certmonger.NPATH), ('cert_storage_location', nss_dir, certmonger.NPATH),
('cert_nickname', nickname, None), ('cert_nickname', nickname, None),
('ca_name', ca_name, None), ('ca_name', ca_name, None),
('template_profile', profile, None),
) )
request_id = certmonger.get_request_id(criteria) request_id = certmonger.get_request_id(criteria)
if request_id is None: if request_id is None:

20
ipaserver/install/cainstance.py
View File

@ -312,9 +312,10 @@ def stop_tracking_certificates(dogtag_constants):
cmonger.start() cmonger.start()
for nickname in ['Server-Cert cert-pki-ca', for nickname in ['Server-Cert cert-pki-ca',
'auditSigningCert cert-pki-ca', 'auditSigningCert cert-pki-ca',
'ocspSigningCert cert-pki-ca', 'ocspSigningCert cert-pki-ca',
'subsystemCert cert-pki-ca']: 'subsystemCert cert-pki-ca',
'caSigningCert cert-pki-ca']:
try: try:
certmonger.stop_tracking( certmonger.stop_tracking(
dogtag_constants.ALIAS_DIR, nickname=nickname) dogtag_constants.ALIAS_DIR, nickname=nickname)
@ -1437,12 +1438,16 @@ class CAInstance(service.Service):
'Unable to determine PIN for CA instance: %s' % e) 'Unable to determine PIN for CA instance: %s' % e)
def configure_renewal(self): def configure_renewal(self):
reqs = (
('auditSigningCert cert-pki-ca', None),
('ocspSigningCert cert-pki-ca', None),
('subsystemCert cert-pki-ca', None),
('caSigningCert cert-pki-ca', 'ipaCACertRenewal'),
)
pin = self.__get_ca_pin() pin = self.__get_ca_pin()
# Server-Cert cert-pki-ca is renewed per-server # Server-Cert cert-pki-ca is renewed per-server
for nickname in ['auditSigningCert cert-pki-ca', for nickname, profile in reqs:
'ocspSigningCert cert-pki-ca',
'subsystemCert cert-pki-ca']:
try: try:
certmonger.dogtag_start_tracking( certmonger.dogtag_start_tracking(
ca='dogtag-ipa-ca-renew-agent', ca='dogtag-ipa-ca-renew-agent',
@ -1451,7 +1456,8 @@ class CAInstance(service.Service):
pinfile=None, pinfile=None,
secdir=self.dogtag_constants.ALIAS_DIR, secdir=self.dogtag_constants.ALIAS_DIR,
pre_command='stop_pkicad', pre_command='stop_pkicad',
post_command='renew_ca_cert "%s"' % nickname) post_command='renew_ca_cert "%s"' % nickname,
profile=profile)
except (ipautil.CalledProcessError, RuntimeError), e: except (ipautil.CalledProcessError, RuntimeError), e:
root_logger.error( root_logger.error(
"certmonger failed to start tracking certificate: %s" % e) "certmonger failed to start tracking certificate: %s" % e)