mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
045b6e6ed9
dogtag opens its NSS database in read/write mode so we need to be very careful during renewal that we don't also open it up read/write. We basically need to serialize access to the database. certmonger does the majority of this work via internal locking from the point where it generates a new key/submits a rewewal through the pre_save and releases the lock after the post_save command. This lock is held per NSS database so we're save from certmonger. dogtag needs to be shutdown in the pre_save state so certmonger can safely add the certificate and we can manipulate trust in the post_save command. Fix a number of bugs in renewal. The CA wasn't actually being restarted at all due to a naming change upstream. In python we need to reference services using python-ish names but the service is pki-cad. We need a translation for non-Fedora systems as well. Update the CA ou=People entry when he CA subsystem certificate is renewed. This certificate is used as an identity certificate to bind to the DS instance. https://fedorahosted.org/freeipa/ticket/3292 https://fedorahosted.org/freeipa/ticket/3322
118 lines
4.2 KiB
Python
118 lines
4.2 KiB
Python
#!/usr/bin/python -E
|
|
#
|
|
# Authors:
|
|
# Rob Crittenden <rcritten@redhat.com>
|
|
#
|
|
# Copyright (C) 2012 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
import os
|
|
import sys
|
|
import shutil
|
|
import tempfile
|
|
import krbV
|
|
import syslog
|
|
import random
|
|
import time
|
|
from ipalib import api
|
|
from ipapython.dn import DN
|
|
from ipalib import errors
|
|
from ipapython import services as ipaservices
|
|
from ipapython import ipautil
|
|
from ipapython import dogtag
|
|
from ipaserver.install import certs
|
|
from ipaserver.install.cainstance import update_people_entry
|
|
from ipaserver.plugins.ldap2 import ldap2
|
|
from ipaserver.install.cainstance import update_cert_config
|
|
from ipapython import certmonger
|
|
|
|
# This script a post-cert-install command for certmonger. When certmonger
|
|
# has renewed a CA subsystem certificate a copy is put into the replicated
|
|
# tree so it can be shared with the other IPA servers.
|
|
|
|
nickname = sys.argv[1]
|
|
|
|
api.bootstrap(context='restart')
|
|
api.finalize()
|
|
|
|
configured_constants = dogtag.configured_constants(api)
|
|
alias_dir = configured_constants.ALIAS_DIR
|
|
dogtag_instance = configured_constants.PKI_INSTANCE_NAME
|
|
|
|
# Fetch the new certificate
|
|
db = certs.CertDB(api.env.realm, nssdir=alias_dir)
|
|
cert = db.get_cert_from_db(nickname, pem=False)
|
|
|
|
if not cert:
|
|
syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname)
|
|
sys.exit(1)
|
|
|
|
# Update or add it
|
|
tmpdir = tempfile.mkdtemp(prefix = "tmp-")
|
|
try:
|
|
dn = DN(('cn',nickname), ('cn', 'ca_renewal'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
|
|
principal = str('host/%s@%s' % (api.env.host, api.env.realm))
|
|
ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal)
|
|
conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri)
|
|
conn.connect(ccache=ccache)
|
|
try:
|
|
(entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'])
|
|
entry_attrs['usercertificate'] = cert
|
|
conn.update_entry(dn, entry_attrs, normalize=False)
|
|
except errors.NotFound:
|
|
entry_attrs = dict(objectclass=['top', 'pkiuser', 'nscontainer'],
|
|
usercertificate=cert)
|
|
conn.add_entry(dn, entry_attrs, normalize=False)
|
|
except errors.EmptyModlist:
|
|
pass
|
|
conn.disconnect()
|
|
except Exception, e:
|
|
syslog.syslog(syslog.LOG_ERR, 'Updating renewal certificate failed: %s' % e)
|
|
finally:
|
|
shutil.rmtree(tmpdir)
|
|
|
|
update_cert_config(nickname, cert)
|
|
|
|
if nickname == 'subsystemCert cert-pki-ca':
|
|
update_people_entry('pkidbuser', cert)
|
|
|
|
if nickname == 'auditSigningCert cert-pki-ca':
|
|
# Fix trust on the audit cert
|
|
db = certs.CertDB(api.env.realm, nssdir=alias_dir)
|
|
args = ['-M',
|
|
'-n', nickname,
|
|
'-t', 'u,u,Pu',
|
|
]
|
|
try:
|
|
db.run_certutil(args)
|
|
syslog.syslog(syslog.LOG_NOTICE, 'Updated trust on certificate %s in %s' % (nickname, db.secdir))
|
|
except ipautil.CalledProcessError:
|
|
syslog.syslog(syslog.LOG_ERR, 'Updating trust on certificate %s failed in %s' % (nickname, db.secdir))
|
|
|
|
# Now we can start the CA. Using the ipaservices start should fire
|
|
# off the servlet to verify that the CA is actually up and responding so
|
|
# when this returns it should be good-to-go. The CA was stopped in the
|
|
# pre-save state.
|
|
syslog.syslog(syslog.LOG_NOTICE, 'Starting %sd' % dogtag_instance)
|
|
try:
|
|
if configured_constants.DOGTAG_VERSION == 9:
|
|
ipaservices.knownservices.pki_cad.start(dogtag_instance)
|
|
else:
|
|
ipaservices.knownservices.pki_tomcatd.start(dogtag_instance)
|
|
except Exception, e:
|
|
syslog.syslog(syslog.LOG_ERR, "Cannot start %sd: %s" %
|
|
(dogtag_instance, str(e)))
|