mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-26 00:41:25 -06:00
49b36583a5
External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
355 lines
12 KiB
Python
Executable File
355 lines
12 KiB
Python
Executable File
#! /usr/bin/python -E
|
|
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
|
|
#
|
|
# Copyright (C) 2007 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU General Public License as
|
|
# published by the Free Software Foundation; version 2 only
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program; if not, write to the Free Software
|
|
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
#
|
|
|
|
import sys
|
|
|
|
import logging, tempfile, shutil, os, pwd
|
|
import traceback
|
|
from ConfigParser import SafeConfigParser
|
|
import krbV
|
|
from optparse import OptionParser
|
|
|
|
import ipapython.config
|
|
from ipapython import ipautil
|
|
from ipaserver.install import dsinstance, installutils, certs, httpinstance
|
|
from ipaserver import ipaldap
|
|
from ipapython import version
|
|
from ipalib.constants import DEFAULT_CONFIG
|
|
from ipalib import api
|
|
import ldap
|
|
|
|
def parse_options():
|
|
usage = "%prog [options] FQDN (e.g. replica.example.com)"
|
|
parser = OptionParser(usage=usage, version=version.VERSION)
|
|
|
|
parser.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12",
|
|
help="install certificate for the directory server")
|
|
parser.add_option("--http_pkcs12", dest="http_pkcs12",
|
|
help="install certificate for the http server")
|
|
parser.add_option("--dirsrv_pin", dest="dirsrv_pin",
|
|
help="PIN for the Directory Server PKCS#12 file")
|
|
parser.add_option("--http_pin", dest="http_pin",
|
|
help="PIN for the Apache Server PKCS#12 file")
|
|
parser.add_option("-p", "--password", dest="password",
|
|
help="Directory Manager (existing master) password")
|
|
|
|
ipapython.config.add_standard_options(parser)
|
|
options, args = parser.parse_args()
|
|
|
|
# If any of the PKCS#12 options are selected, all are required. Create a
|
|
# list of the options and count it to enforce that all are required without
|
|
# having a huge set of it blocks.
|
|
pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin]
|
|
cnt = pkcs12.count(None)
|
|
if cnt > 0 and cnt < 4:
|
|
parser.error("error: All PKCS#12 options are required if any are used.")
|
|
|
|
if len(args) != 1:
|
|
parser.error("must provide the fully-qualified name of the replica")
|
|
|
|
ipapython.config.init_config(options)
|
|
|
|
return options, args
|
|
|
|
def get_host_name():
|
|
hostname = installutils.get_fqdn()
|
|
try:
|
|
installutils.verify_fqdn(hostname)
|
|
except RuntimeError, e:
|
|
logging.error(str(e))
|
|
sys.exit(1)
|
|
|
|
return hostname
|
|
|
|
def get_realm_name():
|
|
try:
|
|
c = krbV.default_context()
|
|
return c.default_realm
|
|
except Exception, e:
|
|
return None
|
|
|
|
def get_domain_name():
|
|
try:
|
|
ipapython.config.init_config()
|
|
domain_name = ipapython.config.config.get_domain()
|
|
except Exception, e:
|
|
return None
|
|
|
|
return domain_name
|
|
|
|
def check_ipa_configuration(realm_name):
|
|
config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
|
|
if not ipautil.dir_exists(config_dir):
|
|
logging.error("could not find directory instance: %s" % config_dir)
|
|
sys.exit(1)
|
|
|
|
def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname):
|
|
"""realm is the kerberos realm for the IPA server.
|
|
ds_dir is the location of the master DS we are creating a replica for.
|
|
dir is the location of the files for the replica we are creating.
|
|
passwd_fname is the file containing the PKCS#12 password
|
|
fname is the filename of the PKCS#12 file for this cert (minus the .p12).
|
|
hostname is the FQDN of the server we're creating a cert for.
|
|
|
|
The subject is handled by certs.CertDB:create_server_cert()
|
|
"""
|
|
try:
|
|
self_signed = certs.ipa_self_signed()
|
|
|
|
db = certs.CertDB(dir)
|
|
db.create_passwd_file()
|
|
# if self_signed:
|
|
# ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)))
|
|
# db.create_from_cacert(ca_db.cacert_fname)
|
|
# else:
|
|
# ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=get_host_name())
|
|
ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=get_host_name())
|
|
db.create_from_cacert(ca_db.cacert_fname)
|
|
db.create_server_cert("Server-Cert", hostname, ca_db)
|
|
except Exception, e:
|
|
raise e
|
|
|
|
pkcs12_fname = dir + "/" + fname + ".p12"
|
|
|
|
try:
|
|
db.export_pkcs12(pkcs12_fname, passwd_fname, "Server-Cert")
|
|
except ipautil.CalledProcessError, e:
|
|
print "error exporting Server certificate: " + str(e)
|
|
remove_file(pkcs12_fname)
|
|
remove_file(passwd_fname)
|
|
|
|
remove_file(dir + "/cert8.db")
|
|
remove_file(dir + "/key3.db")
|
|
remove_file(dir + "/secmod.db")
|
|
remove_file(dir + "/noise.txt")
|
|
if ipautil.file_exists(passwd_fname + ".orig"):
|
|
remove_file(passwd_fname + ".orig")
|
|
|
|
def export_ra_pkcs12(dir, dm_password):
|
|
"""
|
|
dir is the location of the files for the replica we are creating.
|
|
dm_password is the Directory Manager password
|
|
|
|
If this install is using dogtag/RHCS then export the RA certificate.
|
|
"""
|
|
if certs.ipa_self_signed():
|
|
return
|
|
|
|
(agent_fd, agent_name) = tempfile.mkstemp()
|
|
os.write(agent_fd, dm_password)
|
|
os.close(agent_fd)
|
|
|
|
try:
|
|
try:
|
|
db = certs.CertDB(httpinstance.NSS_DIR, host_name=get_host_name())
|
|
|
|
if db.has_nickname("ipaCert"):
|
|
pkcs12_fname = "%s/ra.p12" % dir
|
|
db.export_pkcs12(pkcs12_fname, agent_name, "ipaCert")
|
|
except Exception, e:
|
|
raise e
|
|
finally:
|
|
os.remove(agent_name)
|
|
|
|
def get_ds_user(ds_dir):
|
|
uid = os.stat(ds_dir).st_uid
|
|
user = pwd.getpwuid(uid)[0]
|
|
|
|
return user
|
|
|
|
def save_config(dir, realm_name, host_name, ds_user, domain_name, dest_host):
|
|
config = SafeConfigParser()
|
|
config.add_section("realm")
|
|
config.set("realm", "realm_name", realm_name)
|
|
config.set("realm", "master_host_name", host_name)
|
|
config.set("realm", "ds_user", ds_user)
|
|
config.set("realm", "domain_name", domain_name)
|
|
config.set("realm", "destination_host", dest_host)
|
|
fd = open(dir + "/realm_info", "w")
|
|
config.write(fd)
|
|
|
|
def remove_file(fname, ignore_errors=True):
|
|
try:
|
|
os.remove(fname)
|
|
except OSError, e:
|
|
if not ignore_errors:
|
|
raise e
|
|
|
|
def copy_files(realm_name, dir):
|
|
config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
|
|
|
|
try:
|
|
shutil.copy("/var/kerberos/krb5kdc/ldappwd", dir + "/ldappwd")
|
|
shutil.copy("/var/kerberos/krb5kdc/kpasswd.keytab", dir + "/kpasswd.keytab")
|
|
shutil.copy("/usr/share/ipa/html/ca.crt", dir + "/ca.crt")
|
|
if ipautil.file_exists("/usr/share/ipa/html/preferences.html"):
|
|
shutil.copy("/usr/share/ipa/html/preferences.html", dir + "/preferences.html")
|
|
shutil.copy("/usr/share/ipa/html/configure.jar", dir + "/configure.jar")
|
|
except Exception, e:
|
|
print "error copying files: " + str(e)
|
|
sys.exit(1)
|
|
|
|
def get_dirman_password():
|
|
return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False)
|
|
|
|
def main():
|
|
options, args = parse_options()
|
|
|
|
replica_fqdn = args[0]
|
|
|
|
# Just initialize the environment. This is so the installer can have
|
|
# access to the plugin environment
|
|
api.env._bootstrap()
|
|
api.env._finalize_core(**dict(DEFAULT_CONFIG))
|
|
|
|
if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki-ca/conf/CS.cfg") and not options.dirsrv_pin:
|
|
sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.")
|
|
|
|
print "Determining current realm name"
|
|
realm_name = get_realm_name()
|
|
if realm_name is None:
|
|
print "Unable to determine default realm"
|
|
sys.exit(1)
|
|
|
|
check_ipa_configuration(realm_name)
|
|
|
|
print "Getting domain name from LDAP"
|
|
domain_name = get_domain_name()
|
|
if domain_name is None:
|
|
print "Unable to determine LDAP default domain"
|
|
sys.exit(1)
|
|
|
|
host_name = get_host_name()
|
|
if host_name == replica_fqdn:
|
|
print "You can't create a replica on itself"
|
|
sys.exit(1)
|
|
ds_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
|
|
ds_user = get_ds_user(ds_dir)
|
|
|
|
# get the directory manager password
|
|
dirman_password = options.password
|
|
if not options.password:
|
|
try:
|
|
dirman_password = get_dirman_password()
|
|
except KeyboardInterrupt:
|
|
sys.exit(0)
|
|
|
|
# Try out the password
|
|
try:
|
|
conn = ipaldap.IPAdmin(host_name)
|
|
conn.do_simple_bind(bindpw=dirman_password)
|
|
conn.unbind()
|
|
except ldap.CONNECT_ERROR, e:
|
|
sys.exit("\nUnable to connect to LDAP server %s" % host_name)
|
|
except ldap.SERVER_DOWN, e:
|
|
sys.exit("\nUnable to connect to LDAP server %s" % host_name)
|
|
except ldap.INVALID_CREDENTIALS, e :
|
|
sys.exit("\nThe password provided is incorrect for LDAP server %s" % host_name)
|
|
|
|
print "Preparing replica for %s from %s" % (replica_fqdn, host_name)
|
|
|
|
top_dir = tempfile.mkdtemp("ipa")
|
|
dir = top_dir + "/realm_info"
|
|
os.mkdir(dir, 0700)
|
|
|
|
if options.dirsrv_pin:
|
|
passwd = options.dirsrv_pin
|
|
else:
|
|
passwd = ""
|
|
|
|
passwd_fname = dir + "/dirsrv_pin.txt"
|
|
fd = open(passwd_fname, "w")
|
|
fd.write("%s\n" % passwd)
|
|
fd.close()
|
|
|
|
if options.dirsrv_pkcs12:
|
|
print "Copying SSL certificate for the Directory Server from %s" % options.dirsrv_pkcs12
|
|
try:
|
|
shutil.copy(options.dirsrv_pkcs12, dir + "/dscert.p12")
|
|
except IOError, e:
|
|
print "Copy failed %s" % e
|
|
sys.exit(1)
|
|
else:
|
|
try:
|
|
if not certs.ipa_self_signed():
|
|
# FIXME, need option for location of CA backup
|
|
if ipautil.file_exists("/root/tmp-ca.p12"):
|
|
shutil.copy("/root/tmp-ca.p12", dir + "/ca.p12")
|
|
else:
|
|
raise RuntimeError("Root CA PKCS#12 not found in /root/tmp-ca.p12")
|
|
except IOError, e:
|
|
print "Copy failed %s" % e
|
|
sys.exit(1)
|
|
print "Creating SSL certificate for the Directory Server"
|
|
export_certdb(realm_name, ds_dir, dir, passwd_fname, "dscert", replica_fqdn)
|
|
|
|
if options.http_pin:
|
|
passwd = options.http_pin
|
|
else:
|
|
passwd = ""
|
|
|
|
passwd_fname = dir + "/http_pin.txt"
|
|
fd = open(passwd_fname, "w")
|
|
fd.write("%s\n" % passwd)
|
|
fd.close()
|
|
|
|
if options.http_pkcs12:
|
|
print "Copying SSL certificate for the Web Server from %s" % options.http_pkcs12
|
|
try:
|
|
shutil.copy(options.http_pkcs12, dir + "/httpcert.p12")
|
|
except IOError, e:
|
|
print "Copy failed %s" % e
|
|
sys.exit(1)
|
|
else:
|
|
print "Creating SSL certificate for the Web Server"
|
|
export_certdb(realm_name, ds_dir, dir, passwd_fname, "httpcert", replica_fqdn)
|
|
print "Exporting RA certificate"
|
|
export_ra_pkcs12(dir, dirman_password)
|
|
print "Copying additional files"
|
|
copy_files(realm_name, dir)
|
|
print "Finalizing configuration"
|
|
save_config(dir, realm_name, host_name, ds_user, domain_name, replica_fqdn)
|
|
|
|
replicafile = "/var/lib/ipa/replica-info-" + replica_fqdn
|
|
encfile = replicafile+".gpg"
|
|
|
|
print "Packaging replica information into %s" % encfile
|
|
ipautil.run(["/bin/tar", "cf", replicafile, "-C", top_dir, "realm_info"])
|
|
ipautil.encrypt_file(replicafile, encfile, dirman_password, top_dir);
|
|
|
|
remove_file(replicafile)
|
|
shutil.rmtree(dir)
|
|
|
|
try:
|
|
if not os.geteuid()==0:
|
|
sys.exit("\nYou must be root to run this script.\n")
|
|
|
|
main()
|
|
except SystemExit, e:
|
|
sys.exit(e)
|
|
except Exception, e:
|
|
print "preparation of replica failed: %s" % str(e)
|
|
message = str(e)
|
|
for str in traceback.format_tb(sys.exc_info()[2]):
|
|
message = message + "\n" + str
|
|
logging.debug(message)
|
|
print message
|
|
sys.exit(1)
|