dsinstance, httpinstance: consolidate certificate request code

A different code path is used for DS and httpd certificate requests in
replica promotion. This is rather unnecessary and makes the certificate
request code not easy to follow.

Consolidate the non-promotion and promotion code paths into one.

https://pagure.io/freeipa/issue/6757

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This commit is contained in:
Jan Cholasta 2017-04-07 07:43:09 +02:00 committed by Martin Babinsky
parent 8a85586379
commit ec52332229
4 changed files with 43 additions and 99 deletions

View File

@ -396,10 +396,7 @@ class DsInstance(service.Service):
self.step("creating DS keytab", self.request_service_keytab)
if self.promote:
if self.pkcs12_info:
self.step("configuring TLS for DS instance", self.__enable_ssl)
else:
self.step("retrieving DS Certificate", self.__get_ds_cert)
self.step("configuring TLS for DS instance", self.__enable_ssl)
self.step("restarting directory server", self.__restart_instance)
self.step("setting up initial replication", self.__setup_replica)
@ -810,18 +807,23 @@ class DsInstance(service.Service):
dsdb.track_server_cert(
self.nickname, self.principal, dsdb.passwd_fname,
'restart_dirsrv %s' % self.serverid)
self.add_cert_to_service()
else:
dsdb.create_from_cacert()
ca_args = [
paths.CERTMONGER_DOGTAG_SUBMIT,
'--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
'--certfile', paths.RA_AGENT_PEM,
'--keyfile', paths.RA_AGENT_KEY,
'--cafile', paths.IPA_CA_CRT,
'--agent-submit'
]
helper = " ".join(ca_args)
prev_helper = certmonger.modify_ca_helper('IPA', helper)
if self.master_fqdn is None:
ca_args = [
paths.CERTMONGER_DOGTAG_SUBMIT,
'--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
'--certfile', paths.RA_AGENT_PEM,
'--keyfile', paths.RA_AGENT_KEY,
'--cafile', paths.IPA_CA_CRT,
'--agent-submit'
]
helper = " ".join(ca_args)
prev_helper = certmonger.modify_ca_helper('IPA', helper)
else:
prev_helper = None
try:
cmd = 'restart_dirsrv %s' % self.serverid
certmonger.request_and_wait_for_cert(
@ -835,7 +837,8 @@ class DsInstance(service.Service):
dns=[self.fqdn],
post_command=cmd)
finally:
certmonger.modify_ca_helper('IPA', prev_helper)
if prev_helper is not None:
certmonger.modify_ca_helper('IPA', prev_helper)
# restart_dirsrv in the request above restarts DS, reconnect ldap2
api.Backend.ldap2.disconnect()
@ -843,6 +846,9 @@ class DsInstance(service.Service):
self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False)
if prev_helper is not None:
self.add_cert_to_service()
dsdb.create_pin_file()
self.cacert_name = dsdb.cacert_name
@ -1236,46 +1242,6 @@ class DsInstance(service.Service):
ipautil.config_replace_variables(paths.SYSCONFIG_DIRSRV,
replacevars=vardict)
def __get_ds_cert(self):
nssdb_dir = config_dirname(self.serverid)
db = certs.CertDB(
self.realm,
nssdir=nssdb_dir,
subject_base=self.subject_base,
ca_subject=self.ca_subject,
)
db.create_from_cacert()
db.request_service_cert(self.nickname, self.principal, self.fqdn)
db.create_pin_file()
# Connect to self over ldapi as Directory Manager and configure SSL
ldap_uri = ipaldap.get_ldap_uri(protocol='ldapi', realm=self.realm)
conn = ipaldap.LDAPClient(ldap_uri)
conn.external_bind()
mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"),
(ldap.MOD_REPLACE, "nsSSL3Ciphers", "default"),
(ldap.MOD_REPLACE, "allowWeakCipher", "off")]
conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod)
mod = [(ldap.MOD_ADD, "nsslapd-security", "on")]
conn.modify_s(DN(('cn', 'config')), mod)
entry = conn.make_entry(
DN(('cn', 'RSA'), ('cn', 'encryption'), ('cn', 'config')),
objectclass=["top", "nsEncryptionModule"],
cn=["RSA"],
nsSSLPersonalitySSL=[self.nickname],
nsSSLToken=["internal (software)"],
nsSSLActivation=["on"],
)
conn.add_entry(entry)
conn.unbind()
# check for open secure port 636 from now on
self.open_ports.append(636)
def write_certmap_conf(realm, ca_subject):
"""(Re)write certmap.conf with given CA subject DN."""

View File

@ -376,12 +376,12 @@ class HTTPInstance(service.Service):
return False
def __setup_ssl(self):
truncate = not self.promote or not self.ca_is_configured
db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR,
subject_base=self.subject_base, user="root",
group=constants.HTTPD_GROUP,
truncate=truncate)
truncate=True)
self.disable_system_trust()
self.create_password_conf()
if self.pkcs12_info:
if self.ca_is_configured:
trust_flags = 'CT,C,C'
@ -394,8 +394,6 @@ class HTTPInstance(service.Service):
if len(server_certs) == 0:
raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0])
self.create_password_conf()
# We only handle one server cert
nickname = server_certs[0][0]
if nickname == 'ipaCert':
@ -410,7 +408,6 @@ class HTTPInstance(service.Service):
else:
if not self.promote:
self.create_password_conf()
ca_args = [
paths.CERTMONGER_DOGTAG_SUBMIT,
'--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
@ -421,23 +418,26 @@ class HTTPInstance(service.Service):
]
helper = " ".join(ca_args)
prev_helper = certmonger.modify_ca_helper('IPA', helper)
try:
certmonger.request_and_wait_for_cert(
certpath=db.secdir,
nickname=self.cert_nickname,
principal=self.principal,
passwd_fname=db.passwd_fname,
subject=str(DN(('CN', self.fqdn), self.subject_base)),
ca='IPA',
profile=dogtag.DEFAULT_PROFILE,
dns=[self.fqdn],
post_command='restart_httpd')
self.dercert = db.get_cert_from_db(
self.cert_nickname, pem=False)
finally:
else:
prev_helper = None
try:
certmonger.request_and_wait_for_cert(
certpath=db.secdir,
nickname=self.cert_nickname,
principal=self.principal,
passwd_fname=db.passwd_fname,
subject=str(DN(('CN', self.fqdn), self.subject_base)),
ca='IPA',
profile=dogtag.DEFAULT_PROFILE,
dns=[self.fqdn],
post_command='restart_httpd')
finally:
if prev_helper is not None:
certmonger.modify_ca_helper('IPA', prev_helper)
self.dercert = db.get_cert_from_db(self.cert_nickname, pem=False)
if prev_helper is not None:
self.add_cert_to_service()
# Verify we have a valid server cert

View File

@ -807,10 +807,6 @@ def install(installer):
if setup_ca:
ca.install_step_1(False, None, options)
# The DS instance is created before the keytab, add the SSL cert we
# generated
ds.add_cert_to_service()
otpd = otpdinstance.OtpdInstance()
otpd.create_instance('OTPD', host_name,
ipautil.realm_to_suffix(realm_name))

View File

@ -27,7 +27,6 @@ from ipapython.dn import DN
from ipapython.ipa_log_manager import root_logger
from ipapython.admintool import ScriptError
from ipaplatform import services
from ipaplatform.constants import constants as pconstants
from ipaplatform.tasks import tasks
from ipaplatform.paths import paths
from ipalib import api, constants, create_api, errors, rpc, x509
@ -77,18 +76,6 @@ def make_pkcs12_info(directory, cert_name, password_name):
return None
def install_http_certs(host_name, realm_name, subject_base):
principal = 'HTTP/%s@%s' % (host_name, realm_name)
subject = subject_base or DN(('O', realm_name))
db = certs.CertDB(realm_name, nssdir=paths.HTTPD_ALIAS_DIR,
subject_base=subject, user="root",
group=pconstants.HTTPD_GROUP, truncate=True)
db.request_service_cert('Server-Cert', principal, host_name)
# Obtain certificate for the HTTP service
http = httpinstance.HTTPInstance()
http.create_password_conf()
def install_replica_ds(config, options, ca_is_configured, remote_api,
ca_file, promote=False, pkcs12_info=None):
dsinstance.check_ports()
@ -175,7 +162,8 @@ def install_http(config, auto_redirect, ca_is_configured, ca_file,
http.create_instance(
config.realm_name, config.host_name, config.domain_name,
pkcs12_info, auto_redirect=auto_redirect, ca_file=ca_file,
ca_is_configured=ca_is_configured, promote=promote)
ca_is_configured=ca_is_configured, promote=promote,
subject_base=config.subject_base)
return http
@ -1414,12 +1402,6 @@ def install(installer):
# Always try to install DNS records
install_dns_records(config, options, remote_api)
if promote and ca_enabled:
# we need to install http certs to setup ssl for httpd
install_http_certs(config.host_name,
config.realm_name,
config.subject_base)
ntpinstance.ntp_ldap_enable(config.host_name, ds.suffix,
remote_api.env.realm)
finally: