mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 07:33:27 -06:00
Add token support to the renew_ca_cert certmonger helper
The certificates live on the token so need to be retrieved from there with the token name. The certificates are visible in NSS softoken but operations need to be done on the HSM version. The right password is necessary so retrieve it from the PKI password store. Fixes: https://pagure.io/freeipa/issue/9273 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
parent
7ad3b489f6
commit
93622005ba
@ -49,6 +49,10 @@ def _main():
|
||||
|
||||
dogtag_service = services.knownservices['pki_tomcatd']
|
||||
|
||||
ca = cainstance.CAInstance(host_name=api.env.host)
|
||||
if ca.token_name:
|
||||
nickname = f"{ca.token_name}:{nickname}"
|
||||
|
||||
# dogtag opens its NSS database in read/write mode so we need it
|
||||
# shut down so certmonger can open it read/write mode. This avoids
|
||||
# database corruption. It should already be stopped by the pre-command
|
||||
@ -66,8 +70,28 @@ def _main():
|
||||
syslog.syslog(
|
||||
syslog.LOG_NOTICE, "Stopped %s" % dogtag_service.service_name)
|
||||
|
||||
pwdfile = None
|
||||
if ca.hsm_enabled:
|
||||
token_pw = None
|
||||
with open(paths.PKI_TOMCAT_PASSWORD_CONF, "r") as passfile:
|
||||
contents = passfile.readlines()
|
||||
for line in contents:
|
||||
data = line.split('=', 1)
|
||||
if data[0] == 'hardware-' + ca.token_name:
|
||||
token_pw = data[1]
|
||||
break
|
||||
if token_pw:
|
||||
pwfile = ipautil.write_tmp_file(token_pw)
|
||||
pwdfile = pwfile.name
|
||||
else:
|
||||
syslog.syslog(
|
||||
syslog.LOG_ERR,
|
||||
'Unable to find pin for token %s' % ca.token_name
|
||||
)
|
||||
|
||||
# Fetch the new certificate
|
||||
db = certs.CertDB(api.env.realm, nssdir=paths.PKI_TOMCAT_ALIAS_DIR)
|
||||
db = certs.CertDB(api.env.realm, nssdir=paths.PKI_TOMCAT_ALIAS_DIR,
|
||||
pwd_file=pwdfile)
|
||||
cert = db.get_cert_from_db(nickname)
|
||||
if not cert:
|
||||
syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname)
|
||||
@ -82,7 +106,6 @@ def _main():
|
||||
|
||||
api.Backend.ldap2.connect()
|
||||
|
||||
ca = cainstance.CAInstance(host_name=api.env.host)
|
||||
ca.update_cert_config(nickname, cert)
|
||||
if ca.is_renewal_master():
|
||||
cainstance.update_people_entry(cert)
|
||||
|
Loading…
Reference in New Issue
Block a user