freeipa/install/restart_scripts/renew_ca_cert
Rob Crittenden 045b6e6ed9 Use new certmonger locking to prevent NSS database corruption.
dogtag opens its NSS database in read/write mode so we need to be very
careful during renewal that we don't also open it up read/write. We
basically need to serialize access to the database. certmonger does the
majority of this work via internal locking from the point where it generates
a new key/submits a rewewal through the pre_save and releases the lock after
the post_save command. This lock is held per NSS database so we're save
from certmonger. dogtag needs to be shutdown in the pre_save state so
certmonger can safely add the certificate and we can manipulate trust
in the post_save command.

Fix a number of bugs in renewal. The CA wasn't actually being restarted
at all due to a naming change upstream. In python we need to reference
services using python-ish names but the service is pki-cad. We need a
translation for non-Fedora systems as well.

Update the CA ou=People entry when he CA subsystem certificate is
renewed. This certificate is used as an identity certificate to bind
to the DS instance.

https://fedorahosted.org/freeipa/ticket/3292
https://fedorahosted.org/freeipa/ticket/3322
2013-01-29 11:16:38 -05:00

118 lines
4.2 KiB
Python

#!/usr/bin/python -E
#
# Authors:
# Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2012 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
import sys
import shutil
import tempfile
import krbV
import syslog
import random
import time
from ipalib import api
from ipapython.dn import DN
from ipalib import errors
from ipapython import services as ipaservices
from ipapython import ipautil
from ipapython import dogtag
from ipaserver.install import certs
from ipaserver.install.cainstance import update_people_entry
from ipaserver.plugins.ldap2 import ldap2
from ipaserver.install.cainstance import update_cert_config
from ipapython import certmonger
# This script a post-cert-install command for certmonger. When certmonger
# has renewed a CA subsystem certificate a copy is put into the replicated
# tree so it can be shared with the other IPA servers.
nickname = sys.argv[1]
api.bootstrap(context='restart')
api.finalize()
configured_constants = dogtag.configured_constants(api)
alias_dir = configured_constants.ALIAS_DIR
dogtag_instance = configured_constants.PKI_INSTANCE_NAME
# Fetch the new certificate
db = certs.CertDB(api.env.realm, nssdir=alias_dir)
cert = db.get_cert_from_db(nickname, pem=False)
if not cert:
syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname)
sys.exit(1)
# Update or add it
tmpdir = tempfile.mkdtemp(prefix = "tmp-")
try:
dn = DN(('cn',nickname), ('cn', 'ca_renewal'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
principal = str('host/%s@%s' % (api.env.host, api.env.realm))
ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal)
conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri)
conn.connect(ccache=ccache)
try:
(entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'])
entry_attrs['usercertificate'] = cert
conn.update_entry(dn, entry_attrs, normalize=False)
except errors.NotFound:
entry_attrs = dict(objectclass=['top', 'pkiuser', 'nscontainer'],
usercertificate=cert)
conn.add_entry(dn, entry_attrs, normalize=False)
except errors.EmptyModlist:
pass
conn.disconnect()
except Exception, e:
syslog.syslog(syslog.LOG_ERR, 'Updating renewal certificate failed: %s' % e)
finally:
shutil.rmtree(tmpdir)
update_cert_config(nickname, cert)
if nickname == 'subsystemCert cert-pki-ca':
update_people_entry('pkidbuser', cert)
if nickname == 'auditSigningCert cert-pki-ca':
# Fix trust on the audit cert
db = certs.CertDB(api.env.realm, nssdir=alias_dir)
args = ['-M',
'-n', nickname,
'-t', 'u,u,Pu',
]
try:
db.run_certutil(args)
syslog.syslog(syslog.LOG_NOTICE, 'Updated trust on certificate %s in %s' % (nickname, db.secdir))
except ipautil.CalledProcessError:
syslog.syslog(syslog.LOG_ERR, 'Updating trust on certificate %s failed in %s' % (nickname, db.secdir))
# Now we can start the CA. Using the ipaservices start should fire
# off the servlet to verify that the CA is actually up and responding so
# when this returns it should be good-to-go. The CA was stopped in the
# pre-save state.
syslog.syslog(syslog.LOG_NOTICE, 'Starting %sd' % dogtag_instance)
try:
if configured_constants.DOGTAG_VERSION == 9:
ipaservices.knownservices.pki_cad.start(dogtag_instance)
else:
ipaservices.knownservices.pki_tomcatd.start(dogtag_instance)
except Exception, e:
syslog.syslog(syslog.LOG_ERR, "Cannot start %sd: %s" %
(dogtag_instance, str(e)))