IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
03837bfd6dbf7fd1eaa437da22807d7061b99af7
freeipa/install/restart_scripts/renew_ra_cert
Rob Crittenden 03837bfd6d Use certmonger to renew CA subsystem certificates 
Certificate renewal can be done only one one CA as the certificates need
to be shared amongst them. certmonger has been trained to communicate
directly with dogtag to perform the renewals. The initial CA installation
is the defacto certificate renewal master.

A copy of the certificate is stored in the IPA LDAP tree in
cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the
certificate, when a certificate is renewed. Only the most current
certificate is stored. It is valid to have no certificates there, it means
that no renewals have taken place.

The clones are configured with a new certmonger CA type that polls this
location in the IPA tree looking for an updated certificate. If one is
not found then certmonger is put into the CA_WORKING state and will poll
every 8 hours until an updated certificate is available.

The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case.
When this certificate is updated we also need to update its entry in
the dogtag tree, adding the updated certificate and telling dogtag which
certificate to use. This is the certificate that lets IPA issue
certificates.

On upgrades we check to see if the certificate tracking is already in
place. If not then we need to determine if this is the master that will
do the renewals or not. This decision is made based on whether it was
the first master installed. It is concievable that this master is no
longer available meaning that none are actually tracking renewal. We
will need to document this.

https://fedorahosted.org/freeipa/ticket/2803
2012-07-30 13:39:08 +02:00

97 lines
3.5 KiB
Python
Raw Blame History

#!/usr/bin/python -E
#
# Authors:
# Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2012 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import sys
import shutil
import tempfile
import syslog
from ipapython import services as ipaservices
from ipapython.certmonger import get_pin
from ipapython import ipautil
from ipaserver.install import certs
from ipaserver.install.cainstance import DEFAULT_DSPORT
from ipalib import api
from ipalib.dn import DN
from ipalib import x509
from ipalib import errors
from ipaserver.plugins.ldap2 import ldap2
api.bootstrap(context='restart')
api.finalize()
# Fetch the new certificate
db = certs.CertDB(api.env.realm)
cert = db.get_cert_from_db('ipaCert', pem=False)
serial_number = x509.get_serial_number(cert, datatype=x509.DER)
subject = x509.get_subject(cert, datatype=x509.DER)
issuer = x509.get_issuer(cert, datatype=x509.DER)
# Load it into dogtag
dn = str(DN(('uid','ipara'),('ou','People'),('o','ipaca')))
try:
dm_password = get_pin('internaldb')
except IOError, e:
syslog.syslog(syslog.LOG_ERR, 'Unable to determine PIN for CA instance: %s' % e)
sys.exit(1)
try:
conn = ldap2(shared_instance=False, ldap_uri='ldap://localhost:%d' % DEFAULT_DSPORT)
conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
(entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'], normalize=False)
entry_attrs['usercertificate'].append(cert)
entry_attrs['description'] = '2;%d;%s;%s' % (serial_number, issuer, subject)
conn.update_entry(dn, entry_attrs, normalize=False)
conn.disconnect()
except Exception, e:
syslog.syslog(syslog.LOG_ERR, 'Updating agent entry failed: %s' % e)
sys.exit(1)
# Store it in the IPA LDAP server
tmpdir = tempfile.mkdtemp(prefix = "tmp-")
try:
dn = str(DN(('cn','ipaCert'),('cn=ca_renewal,cn=ipa,cn=etc'),(api.env.basedn)))
principal = str('host/%s@%s' % (api.env.host, api.env.realm))
ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal)
conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri)
conn.connect(ccache=ccache)
try:
(entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'])
entry_attrs['usercertificate'] = cert
conn.update_entry(dn, entry_attrs, normalize=False)
except errors.NotFound:
entry_attrs = dict(objectclass=['top', 'pkiuser', 'nscontainer'],
usercertificate=cert)
conn.add_entry(dn, entry_attrs, normalize=False)
except errors.EmptyModlist:
pass
conn.disconnect()
except Exception, e:
syslog.syslog(syslog.LOG_ERR, 'Updating renewal certificate failed: %s' % e)
finally:
shutil.rmtree(tmpdir)
# Now restart Apache so the new certificate is available
try:
ipaservices.knownservices.httpd.restart()
except Exception, e:
syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % str(e))
Reference in New Issue View Git Blame Copy Permalink