Centralize enable/disable of the ACME service

The initial implementation of ACME in dogtag and IPA required that ACME be manually enabled on each CA. dogtag added a REST API that can be access directly or through the `pki acme` CLI tool to enable or disable the service. It also abstracted the database connection and introduced the concept of a realm which defines the DIT for ACME users and groups, the URL and the identity. This is configured in realm.conf. A new group was created, Enterprise ACME Administrators, that controls the users allowed to modify ACME configuration. The IPA RA is added to this group for the ipa-acme-manage tool to authenticate to the API to enable/disable ACME. Related dogtag installation documentation: https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring_ACME_Database.md https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring_ACME_Realm.md https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Installing_PKI_ACME_Responder.md ACME REST API: https://github.com/dogtagpki/pki/wiki/PKI-ACME-Enable-REST-API https://pagure.io/freeipa/issue/8524 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-10-06 15:17:15 -04:00
parent e13d058a06
commit c0d55ce6de
11 changed files with 109 additions and 32 deletions
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -71,7 +71,7 @@ ADMIN_GROUPS = [
    'Security Domain Administrators'
 ]

-ACME_AGENT_GROUP = 'ACME Agents'
+ACME_AGENT_GROUP = 'Enterprise ACME Administrators'

 PROFILES_DN = DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca'))

@@ -768,6 +768,12 @@ class CAInstance(DogtagInstance):
            self.basedn)
        conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')

+        group_dn = DN(('cn', ACME_AGENT_GROUP), ('ou', 'groups'),
+                      self.basedn)
+        conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
+
+        conn.disconnect()
+
    def __get_ca_chain(self):
        try:
            return dogtag.get_ca_certchain(ca_host=self.fqdn)
@@ -1479,6 +1485,8 @@ class CAInstance(DogtagInstance):
            logger.debug('ACME service is already deployed')
            return False

+        self._ldap_mod('/usr/share/pki/acme/database/ds/schema.ldif')
+
        configure_acme_acls()

        # create ACME agent group (if not exist already) and user
@@ -1510,6 +1518,7 @@ class CAInstance(DogtagInstance):
            ('pki-acme-database.conf.template', paths.PKI_ACME_DATABASE_CONF),
            ('pki-acme-engine.conf.template', paths.PKI_ACME_ENGINE_CONF),
            ('pki-acme-issuer.conf.template', paths.PKI_ACME_ISSUER_CONF),
+            ('pki-acme-realm.conf.template', paths.PKI_ACME_REALM_CONF),
        ]
        sub_dict = dict(
            FQDN=self.fqdn,
@@ -1732,6 +1741,11 @@ def ensure_acme_containers():
        DN(('ou', 'orders'), ou_acme),
        DN(('ou', 'authorizations'), ou_acme),
        DN(('ou', 'challenges'), ou_acme),
+        DN(('ou', 'certificates'), ou_acme),
+    ]
+
+    extensible_rdns = [
+        DN(('ou', 'config'), ou_acme),
    ]

    for rdn in rdns:
@@ -1741,6 +1755,13 @@ def ensure_acme_containers():
            ou=[rdn[0][0].value],
        )

+    for rdn in extensible_rdns:
+        ensure_entry(
+            DN(rdn, ('o', 'ipaca')),
+            objectclass=['top', 'organizationalUnit', 'extensibleObject'],
+            ou=[rdn[0][0].value],
+        )
+

 def ensure_entry(dn, **attrs):
    """Ensure an entry exists.