Add ipa-client-install switch --request-cert to request cert for the host

The certificate is stored in /etc/ipa/nssdb under the nickname "Local IPA host". https://fedorahosted.org/freeipa/ticket/4550 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-10-07 19:07:13 +02:00 · 2014-10-07 19:07:13 +02:00 · b5f9d40dba
commit b5f9d40dba
parent 68a36a2804
2 changed files with 97 additions and 12 deletions
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@ -74,8 +74,6 @@ SSH_AUTHORIZEDKEYSCOMMAND = paths.SSS_SSH_AUTHORIZEDKEYS
 SSH_PROXYCOMMAND = paths.SSS_SSH_KNOWNHOSTSPROXY
 SSH_KNOWNHOSTSFILE = paths.SSSD_PUBCONF_KNOWN_HOSTS

-client_nss_nickname_format = 'IPA Machine Certificate - %s'
-
 def parse_options():
    def validate_ca_cert_file_option(option, opt, value, parser):
        if not os.path.exists(value):
@ -158,6 +156,9 @@ def parse_options():
    basic_group.add_option("--ca-cert-file", dest="ca_cert_file",
                           type="string", action="callback", callback=validate_ca_cert_file_option,
                           help="load the CA certificate from this file")
+    basic_group.add_option("--request-cert", dest="request_cert",
+                           action="store_true", default=False,
+                           help="request certificate for the machine")
    # --on-master is used in ipa-server-install and ipa-replica-install
    # only, it isn't meant to be used on clients.
    basic_group.add_option("--on-master", dest="on_master", action="store_true",
@ -482,11 +483,11 @@ def uninstall(options, env):
    if hostname is None:
        hostname = socket.getfqdn()

-    client_nss_nickname = client_nss_nickname_format % hostname
+    ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
+    sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)

    # Always start certmonger. We can't untrack something if it isn't
-    # running. Note that this is legacy code to untrack any certificates
-    # that were created by previous versions of this installer.
+    # running
    messagebus = services.knownservices.messagebus
    try:
        messagebus.start()
@ -499,14 +500,24 @@ def uninstall(options, env):
    except Exception, e:
        log_service_error(cmonger.service_name, 'start', e)

-    try:
-        certmonger.stop_tracking(paths.NSS_DB_DIR, nickname=client_nss_nickname)
-    except (CalledProcessError, RuntimeError), e:
-        root_logger.error("%s failed to stop tracking certificate: %s",
-            cmonger.service_name, str(e))
+    if ipa_db.has_nickname('Local IPA host'):
+        try:
+            certmonger.stop_tracking(paths.IPA_NSSDB_DIR,
+                                     nickname='Local IPA host')
+        except RuntimeError, e:
+            root_logger.error("%s failed to stop tracking certificate: %s",
+                              cmonger.service_name, e)
+
+    client_nss_nickname = 'IPA Machine Certificate - %s' % hostname
+    if sys_db.has_nickname(client_nss_nickname):
+        try:
+            certmonger.stop_tracking(paths.NSS_DB_DIR,
+                                     nickname=client_nss_nickname)
+        except RuntimeError, e:
+            root_logger.error("%s failed to stop tracking certificate: %s",
+                              cmonger.service_name, e)

    # Remove our host cert and CA cert
-    ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
    try:
        ipa_certs = ipa_db.list_certs()
    except CalledProcessError, e:
@ -523,7 +534,6 @@ def uninstall(options, env):
        except OSError, e:
            root_logger.error("Failed to remove %s: %s", filename, e)

-    sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
    for nickname, trust_flags in ipa_certs:
        while sys_db.has_nickname(nickname):
            try:
@ -1082,6 +1092,75 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok,

    return 0

+def configure_certmonger(fstore, subject_base, cli_realm, hostname, options,
+                         remote_env):
+    if not options.request_cert:
+        return
+
+    if not remote_env['enable_ra']:
+        root_logger.warning(
+            "An RA is not configured on the server. "
+            "Not requesting host certificate.")
+        return
+
+    started = True
+    principal = 'host/%s@%s' % (hostname, cli_realm)
+
+    messagebus = services.knownservices.messagebus
+    try:
+        messagebus.start()
+    except Exception, e:
+        log_service_error(messagebus.service_name, 'start', e)
+
+    # Ensure that certmonger has been started at least once to generate the
+    # cas files in /var/lib/certmonger/cas.
+    cmonger = services.knownservices.certmonger
+    try:
+        cmonger.restart()
+    except Exception, e:
+        log_service_error(cmonger.service_name, 'restart', e)
+
+    if options.hostname:
+        # It needs to be stopped if we touch them
+        try:
+            cmonger.stop()
+        except Exception, e:
+            log_service_error(cmonger.service_name, 'stop', e)
+        # If the hostname is explicitly set then we need to tell certmonger
+        # which principal name to use when requesting certs.
+        certmonger.add_principal_to_cas(principal)
+
+    try:
+        cmonger.restart()
+    except Exception, e:
+        log_service_error(cmonger.service_name, 'restart', e)
+        root_logger.warning(
+            "Automatic certificate management will not be available")
+        started = False
+
+    try:
+        cmonger.enable()
+    except Exception, e:
+        root_logger.error(
+            "Failed to configure automatic startup of the %s daemon: %s",
+            cmonger.service_name, str(e))
+        root_logger.warning(
+            "Automatic certificate management will not be available")
+
+    # Request our host cert
+    if started:
+        subject = str(DN(('CN', hostname), subject_base))
+        passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt')
+        try:
+            certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR,
+                                    nickname='Local IPA host',
+                                    subject=subject,
+                                    principal=principal,
+                                    passwd_fname=passwd_fname)
+        except Exception:
+            root_logger.error("%s request for host certificate failed",
+                              cmonger.service_name)
+
 def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain, client_hostname):
    try:
        sssdconfig = SSSDConfig.SSSDConfig()
@ -2612,6 +2691,8 @@ def install(options, env, fstore, statestore):

    if not options.on_master:
        client_dns(cli_server[0], hostname, options.dns_updates)
+        configure_certmonger(fstore, subject_base, cli_realm, hostname,
+                             options, remote_env)

    update_ssh_keys(cli_server[0], hostname, services.knownservices.sshd.get_config_dir(), options.create_sshfp)

--- a/ipa-client/man/ipa-client-install.1
+++ b/ipa-client/man/ipa-client-install.1
@ -166,6 +166,9 @@ file. The CA certificate found in \fICA_FILE\fR is considered
 authoritative and will be installed without checking to see if it's
 valid for the IPA domain.
 .TP
+\fB\-\-request\-cert\fR
+Request certificate for the machine. The certificate will be stored in /etc/ipa/nssdb under the nickname "Local IPA host".
+.TP
 \fB\-\-automount\-location\fR=\fILOCATION\fR
 Configure automount by running ipa\-client\-automount(1) with \fILOCATION\fR as
 automount location.
@ -226,6 +229,7 @@ Files always created (replacing existing content):
 /etc/krb5.conf\p
 /etc/ipa/ca.crt\p
 /etc/ipa/default.conf\p
+/etc/ipa/nssdb\p
 /etc/openldap/ldap.conf\p
 .TP
 Files updated, existing content is maintained: