IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-23 07:33:27 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add token support to the renew_ca_cert certmonger helper

Browse Source 
The certificates live on the token so need to be retrieved
from there with the token name. The certificates are visible
in NSS softoken but operations need to be done on the HSM
version. The right password is necessary so retrieve it from
the PKI password store.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
Rob Crittenden 2022-12-09 21:44:43 -05:00
parent 7ad3b489f6
commit 93622005ba
1 changed files with 25 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
install/restart_scripts/renew_ca_cert.in
View File

@ -49,6 +49,10 @@ def _main():
dogtag_service = services.knownservices['pki_tomcatd'] dogtag_service = services.knownservices['pki_tomcatd']
ca = cainstance.CAInstance(host_name=api.env.host)
if ca.token_name:
nickname = f"{ca.token_name}:{nickname}"
# dogtag opens its NSS database in read/write mode so we need it # dogtag opens its NSS database in read/write mode so we need it
# shut down so certmonger can open it read/write mode. This avoids # shut down so certmonger can open it read/write mode. This avoids
# database corruption. It should already be stopped by the pre-command # database corruption. It should already be stopped by the pre-command
@ -66,8 +70,28 @@ def _main():
syslog.syslog( syslog.syslog(
syslog.LOG_NOTICE, "Stopped %s" % dogtag_service.service_name) syslog.LOG_NOTICE, "Stopped %s" % dogtag_service.service_name)
pwdfile = None
if ca.hsm_enabled:
token_pw = None
with open(paths.PKI_TOMCAT_PASSWORD_CONF, "r") as passfile:
contents = passfile.readlines()
for line in contents:
data = line.split('=', 1)
if data[0] == 'hardware-' + ca.token_name:
token_pw = data[1]
break
if token_pw:
pwfile = ipautil.write_tmp_file(token_pw)
pwdfile = pwfile.name
else:
syslog.syslog(
syslog.LOG_ERR,
'Unable to find pin for token %s' % ca.token_name
)
# Fetch the new certificate # Fetch the new certificate
db = certs.CertDB(api.env.realm, nssdir=paths.PKI_TOMCAT_ALIAS_DIR) db = certs.CertDB(api.env.realm, nssdir=paths.PKI_TOMCAT_ALIAS_DIR,
pwd_file=pwdfile)
cert = db.get_cert_from_db(nickname) cert = db.get_cert_from_db(nickname)
if not cert: if not cert:
syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname) syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname)
@ -82,7 +106,6 @@ def _main():
api.Backend.ldap2.connect() api.Backend.ldap2.connect()
ca = cainstance.CAInstance(host_name=api.env.host)
ca.update_cert_config(nickname, cert) ca.update_cert_config(nickname, cert)
if ca.is_renewal_master(): if ca.is_renewal_master():
cainstance.update_people_entry(cert) cainstance.update_people_entry(cert)