mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
pkinit-replica: create certificates for replicas too
altough the kdc certificate name is not tied to the fqdn we create separate certs for each KDC so that renewal of each of them is done separately.
This commit is contained in:
Simo Sorce
@@ -68,6 +68,8 @@ def parse_options():
|
||||
parser.add_option("--no-host-dns", dest="no_host_dns", action="store_true",
|
||||
default=False,
|
||||
help="Do not use DNS for hostname lookup during installation")
|
||||
parser.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
|
||||
default=True, help="disables pkinit setup steps")
|
||||
|
||||
options, args = parser.parse_args()
|
||||
safe_options = parser.get_safe_opts(options)
|
||||
@@ -178,13 +180,21 @@ def install_ds(config):
|
||||
|
||||
return ds
|
||||
|
||||
def install_krb(config):
|
||||
def install_krb(config, setup_pkinit=False):
|
||||
krb = krbinstance.KrbInstance()
|
||||
ldappwd_filename = config.dir + "/ldappwd"
|
||||
kpasswd_filename = config.dir + "/kpasswd.keytab"
|
||||
|
||||
#pkinit files
|
||||
pkcs12_info = None
|
||||
if ipautil.file_exists(config.dir + "/pkinitcert.p12"):
|
||||
pkcs12_info = (config.dir + "/pkinitcert.p12",
|
||||
config.dir + "/pkinit_pin.txt")
|
||||
|
||||
krb.create_replica(config.ds_user, config.realm_name, config.host_name,
|
||||
config.domain_name, config.dirman_password,
|
||||
ldappwd_filename, kpasswd_filename)
|
||||
ldappwd_filename, kpasswd_filename,
|
||||
setup_pkinit, pkcs12_info)
|
||||
|
||||
def install_ca_cert(config):
|
||||
if ipautil.file_exists(config.dir + "/ca.crt"):
|
||||
@@ -261,6 +271,11 @@ def check_bind():
|
||||
print "Aborting installation"
|
||||
sys.exit(1)
|
||||
|
||||
def check_pkinit():
|
||||
if not krbinstance.check_pkinit_plugin():
|
||||
print "Aborting installation"
|
||||
sys.exit(1)
|
||||
|
||||
def main():
|
||||
safe_options, options, filename = parse_options()
|
||||
installutils.standard_logging_setup("/var/log/ipareplica-install.log", options.debug)
|
||||
@@ -269,8 +284,14 @@ def main():
|
||||
if not ipautil.file_exists(filename):
|
||||
sys.exit("Replica file %s does not exist" % filename)
|
||||
|
||||
# check the bind is installed
|
||||
if options.setup_dns:
|
||||
check_bind()
|
||||
|
||||
# check the pkinit plugin is installed
|
||||
if options.setup_pkinit:
|
||||
check_pkinit()
|
||||
|
||||
check_dirsrv()
|
||||
|
||||
# get the directory manager password
|
||||
@@ -367,7 +388,7 @@ def main():
|
||||
if ret != 0:
|
||||
raise RuntimeError("Failed to start replication")
|
||||
|
||||
install_krb(config)
|
||||
install_krb(config, setup_pkinit=options.setup_pkinit)
|
||||
install_http(config)
|
||||
if CA:
|
||||
CA.import_ra_cert(dir + "/ra.p12")
|
||||
|
||||
@@ -41,25 +41,39 @@ def parse_options():
|
||||
help="install certificate for the directory server")
|
||||
parser.add_option("--http_pkcs12", dest="http_pkcs12",
|
||||
help="install certificate for the http server")
|
||||
parser.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12",
|
||||
help="install certificate for the KDC")
|
||||
parser.add_option("--dirsrv_pin", dest="dirsrv_pin",
|
||||
help="PIN for the Directory Server PKCS#12 file")
|
||||
parser.add_option("--http_pin", dest="http_pin",
|
||||
help="PIN for the Apache Server PKCS#12 file")
|
||||
parser.add_option("--pkinit_pin", dest="pkinit_pin",
|
||||
help="PIN for the KDC pkinit PKCS#12 file")
|
||||
parser.add_option("-p", "--password", dest="password",
|
||||
help="Directory Manager (existing master) password")
|
||||
parser.add_option("--ip-address", dest="ip_address",
|
||||
help="Add A and PTR records of the future replica")
|
||||
parser.add_option("--ca", dest="ca_file", default="/root/cacert.p12",
|
||||
help="Location of CA PKCS#12 file, default /root/cacert.p12")
|
||||
parser.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
|
||||
default=True, help="disables pkinit setup steps")
|
||||
|
||||
options, args = parser.parse_args()
|
||||
|
||||
# If any of the PKCS#12 options are selected, all are required. Create a
|
||||
# list of the options and count it to enforce that all are required without
|
||||
# having a huge set of it blocks.
|
||||
pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin]
|
||||
if options.setup_pkinit:
|
||||
pkcs12 = [options.dirsrv_pkcs12, options.dirsrv_pin,
|
||||
options.http_pkcs12, options.http_pin,
|
||||
options.pkinit_pkcs12, options.pkinit_pin]
|
||||
num = 6
|
||||
else:
|
||||
pkcs12 = [options.dirsrv_pkcs12, options.dirsrv_pin,
|
||||
options.http_pkcs12, options.http_pin]
|
||||
num = 4
|
||||
cnt = pkcs12.count(None)
|
||||
if cnt > 0 and cnt < 4:
|
||||
if cnt > 0 and cnt < num:
|
||||
parser.error("All PKCS#12 options are required if any are used.")
|
||||
|
||||
if options.ip_address:
|
||||
@@ -90,7 +104,7 @@ def check_ipa_configuration(realm_name):
|
||||
logging.error("could not find directory instance: %s" % config_dir)
|
||||
sys.exit(1)
|
||||
|
||||
def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname, subject_base=None):
|
||||
def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname, subject_base=None, is_kdc=False):
|
||||
"""realm is the kerberos realm for the IPA server.
|
||||
ds_dir is the location of the master DS we are creating a replica for.
|
||||
dir is the location of the files for the replica we are creating.
|
||||
@@ -100,6 +114,12 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname, subjec
|
||||
|
||||
The subject is handled by certs.CertDB:create_server_cert()
|
||||
"""
|
||||
|
||||
if is_kdc:
|
||||
nickname = "KDC-Cert"
|
||||
else:
|
||||
nickname = "Server-Cert"
|
||||
|
||||
try:
|
||||
self_signed = certs.ipa_self_signed()
|
||||
|
||||
@@ -111,15 +131,22 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname, subjec
|
||||
# else:
|
||||
# ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host)
|
||||
ca_db = certs.CertDB(httpinstance.NSS_DIR, realm_name, host_name=api.env.host, subject_base=subject_base)
|
||||
db.create_from_cacert(ca_db.cacert_fname)
|
||||
db.create_server_cert("Server-Cert", hostname, ca_db)
|
||||
if is_kdc:
|
||||
ca_db.create_kdc_cert("KDC-Cert", hostname, dir)
|
||||
else:
|
||||
db.create_from_cacert(ca_db.cacert_fname)
|
||||
db.create_server_cert(nickname, hostname, ca_db)
|
||||
except Exception, e:
|
||||
raise e
|
||||
|
||||
pkcs12_fname = dir + "/" + fname + ".p12"
|
||||
|
||||
try:
|
||||
db.export_pkcs12(pkcs12_fname, passwd_fname, "Server-Cert")
|
||||
if is_kdc:
|
||||
ca_db.export_pem_p12(pkcs12_fname, passwd_fname,
|
||||
nickname, dir + "/kdc.pem")
|
||||
else:
|
||||
db.export_pkcs12(pkcs12_fname, passwd_fname, nickname)
|
||||
except ipautil.CalledProcessError, e:
|
||||
print "error exporting Server certificate: " + str(e)
|
||||
remove_file(pkcs12_fname)
|
||||
@@ -129,6 +156,8 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname, subjec
|
||||
remove_file(dir + "/key3.db")
|
||||
remove_file(dir + "/secmod.db")
|
||||
remove_file(dir + "/noise.txt")
|
||||
if is_kdc:
|
||||
remove_file(dir + "/kdc.pem")
|
||||
if ipautil.file_exists(passwd_fname + ".orig"):
|
||||
remove_file(passwd_fname + ".orig")
|
||||
|
||||
@@ -194,6 +223,8 @@ def copy_files(realm_name, dir):
|
||||
if ipautil.file_exists("/usr/share/ipa/html/preferences.html"):
|
||||
shutil.copy("/usr/share/ipa/html/preferences.html", dir + "/preferences.html")
|
||||
shutil.copy("/usr/share/ipa/html/configure.jar", dir + "/configure.jar")
|
||||
if ipautil.file_exists("/var/kerberos/krb5kdc/cacert.pem"):
|
||||
shutil.copy("/var/kerberos/krb5kdc/cacert.pem", dir + "/cacert.pem")
|
||||
except Exception, e:
|
||||
print "error copying files: " + str(e)
|
||||
sys.exit(1)
|
||||
@@ -316,6 +347,35 @@ def main():
|
||||
print "Exporting RA certificate"
|
||||
export_ra_pkcs12(dir, dirman_password)
|
||||
|
||||
if options.setup_pkinit:
|
||||
if options.pkinit_pin:
|
||||
passwd = options.pkinit_pin
|
||||
else:
|
||||
passwd = ""
|
||||
|
||||
passwd_fname = dir + "/pkinit_pin.txt"
|
||||
fd = open(passwd_fname, "w")
|
||||
fd.write("%s\n" % passwd)
|
||||
fd.close()
|
||||
|
||||
if options.pkinit_pkcs12:
|
||||
print "Copying SSL certificate for the KDC from %s" % options.pkinit_pkcs12
|
||||
try:
|
||||
shutil.copy(options.pkinit_pkcs12, dir + "/pkinitcert.p12")
|
||||
except IOError, e:
|
||||
print "Copy failed %s" % e
|
||||
sys.exit(1)
|
||||
else:
|
||||
print "Creating SSL certificate for the KDC"
|
||||
try:
|
||||
export_certdb(api.env.realm, ds_dir, dir,
|
||||
passwd_fname, "pkinitcert",
|
||||
replica_fqdn, subject_base,
|
||||
is_kdc=True)
|
||||
except errors.CertificateOperationError, e:
|
||||
print "%s" % e
|
||||
sys.exit(1)
|
||||
|
||||
print "Copying additional files"
|
||||
copy_files(api.env.realm, dir)
|
||||
print "Finalizing configuration"
|
||||
|
||||
@@ -865,6 +865,13 @@ class CertDB(object):
|
||||
"-k", self.passwd_fname,
|
||||
"-w", pkcs12_pwd_fname])
|
||||
|
||||
def export_pem_p12(self, pkcs12_fname, pkcs12_pwd_fname,
|
||||
nickname, pem_fname):
|
||||
ipautil.run(["/usr/bin/openssl", "pkcs12",
|
||||
"-export", "-name", nickname,
|
||||
"-in", pem_fname, "-out", pkcs12_fname,
|
||||
"-passout", "file:" + pkcs12_pwd_fname])
|
||||
|
||||
def create_self_signed(self, passwd=None):
|
||||
self.create_noise_file()
|
||||
self.create_passwd_file(passwd)
|
||||
@@ -1017,6 +1024,11 @@ class CertDB(object):
|
||||
os.unlink(key_fname)
|
||||
os.unlink(cert_fname)
|
||||
|
||||
def install_pem_from_p12(self, p12_fname, p12_pwd_fname, pem_fname):
|
||||
ipautil.run(["/usr/bin/openssl", "pkcs12", "-nodes",
|
||||
"-in", p12_fname, "-out", pem_fname,
|
||||
"-passin", "file:" + p12_pwd_fname])
|
||||
|
||||
def backup_files(self):
|
||||
self.fstore.backup_file(self.noise_fname)
|
||||
self.fstore.backup_file(self.passwd_fname)
|
||||
|
||||
@@ -205,7 +205,14 @@ class KrbInstance(service.Service):
|
||||
|
||||
self.kpasswd.create_instance()
|
||||
|
||||
def create_replica(self, ds_user, realm_name, host_name, domain_name, admin_password, ldap_passwd_filename, kpasswd_filename):
|
||||
def create_replica(self, ds_user, realm_name, host_name,
|
||||
domain_name, admin_password,
|
||||
ldap_passwd_filename, kpasswd_filename,
|
||||
setup_pkinit=False, pkcs12_info=None,
|
||||
self_signed_ca=False, subject_base=None):
|
||||
self.pkcs12_info = pkcs12_info
|
||||
self.self_signed_ca = self_signed_ca
|
||||
self.subject_base = subject_base
|
||||
self.__copy_ldap_passwd(ldap_passwd_filename)
|
||||
self.__copy_kpasswd_keytab(kpasswd_filename)
|
||||
|
||||
@@ -217,6 +224,8 @@ class KrbInstance(service.Service):
|
||||
self.step("creating a keytab for the directory", self.__create_ds_keytab)
|
||||
self.step("creating a keytab for the machine", self.__create_host_keytab)
|
||||
self.step("adding the password extension to the directory", self.__add_pwd_extop_module)
|
||||
if setup_pkinit:
|
||||
self.step("installing X509 Certificate for PKINIT", self.__setup_pkinit)
|
||||
|
||||
self.__common_post_setup()
|
||||
|
||||
@@ -506,16 +515,17 @@ class KrbInstance(service.Service):
|
||||
ca_db = certs.CertDB(httpinstance.NSS_DIR, self.realm,
|
||||
host_name=self.fqdn,
|
||||
subject_base=self.subject_base)
|
||||
|
||||
if self.pkcs12_info:
|
||||
|
||||
raise RuntimeError("Using PKCS12 Certs not supported yet\n")
|
||||
|
||||
ca_db.install_pem_from_p12(self.pkcs12_info[0],
|
||||
self.pkcs12_info[1],
|
||||
"/var/kerberos/krb5kdc/kdc.pem")
|
||||
else:
|
||||
if self.self_signed_ca:
|
||||
ca_db.create_kdc_cert("KDC-Cert", self.fqdn,
|
||||
"/var/kerberos/krb5kdc")
|
||||
else:
|
||||
raise RuntimeError("Using PKCS12 Certs not supported yet\n")
|
||||
raise RuntimeError("PKI not supported yet\n")
|
||||
|
||||
# Finally copy the cacert in the krb directory so we don't
|
||||
# have any selinux issues with the file context
|
||||
|
||||
Reference in New Issue
Block a user