mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
e4470f8165
Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.
372 lines
13 KiB
Python
Executable File
372 lines
13 KiB
Python
Executable File
#! /usr/bin/python -E
|
|
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
|
|
#
|
|
# Copyright (C) 2007 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU General Public License as
|
|
# published by the Free Software Foundation; version 2 only
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program; if not, write to the Free Software
|
|
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
#
|
|
|
|
import sys
|
|
|
|
import logging, tempfile, shutil, os, pwd
|
|
import traceback
|
|
from ConfigParser import SafeConfigParser
|
|
import krbV
|
|
from optparse import OptionParser
|
|
|
|
import ipapython.config
|
|
from ipapython import ipautil
|
|
from ipaserver.install import dsinstance, installutils, certs, httpinstance
|
|
from ipaserver import ipaldap
|
|
from ipapython import version
|
|
from ipalib.constants import DEFAULT_CONFIG
|
|
from ipalib import api
|
|
from ipalib import util
|
|
import ldap
|
|
|
|
def parse_options():
|
|
usage = "%prog [options] FQDN (e.g. replica.example.com)"
|
|
parser = OptionParser(usage=usage, version=version.VERSION)
|
|
|
|
parser.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12",
|
|
help="install certificate for the directory server")
|
|
parser.add_option("--http_pkcs12", dest="http_pkcs12",
|
|
help="install certificate for the http server")
|
|
parser.add_option("--dirsrv_pin", dest="dirsrv_pin",
|
|
help="PIN for the Directory Server PKCS#12 file")
|
|
parser.add_option("--http_pin", dest="http_pin",
|
|
help="PIN for the Apache Server PKCS#12 file")
|
|
parser.add_option("-p", "--password", dest="password",
|
|
help="Directory Manager (existing master) password")
|
|
|
|
ipapython.config.add_standard_options(parser)
|
|
options, args = parser.parse_args()
|
|
|
|
# If any of the PKCS#12 options are selected, all are required. Create a
|
|
# list of the options and count it to enforce that all are required without
|
|
# having a huge set of it blocks.
|
|
pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin]
|
|
cnt = pkcs12.count(None)
|
|
if cnt > 0 and cnt < 4:
|
|
parser.error("All PKCS#12 options are required if any are used.")
|
|
|
|
if len(args) != 1:
|
|
parser.error("must provide the fully-qualified name of the replica")
|
|
|
|
ipapython.config.init_config(options)
|
|
|
|
return options, args
|
|
|
|
def get_host_name():
|
|
hostname = installutils.get_fqdn()
|
|
try:
|
|
installutils.verify_fqdn(hostname)
|
|
except RuntimeError, e:
|
|
logging.error(str(e))
|
|
sys.exit(1)
|
|
|
|
return hostname
|
|
|
|
def get_realm_name():
|
|
try:
|
|
c = krbV.default_context()
|
|
return c.default_realm
|
|
except Exception, e:
|
|
return None
|
|
|
|
def get_domain_name():
|
|
try:
|
|
ipapython.config.init_config()
|
|
domain_name = ipapython.config.config.get_domain()
|
|
except Exception, e:
|
|
return None
|
|
|
|
return domain_name
|
|
|
|
def get_subject_base(host_name, dm_password, suffix):
|
|
try:
|
|
conn = ipaldap.IPAdmin(host_name)
|
|
conn.do_simple_bind(bindpw=dm_password)
|
|
except Exception, e:
|
|
logging.critical("Could not connect to the Directory Server on %s" % host_name)
|
|
raise e
|
|
entry = conn.getEntry("cn=ipaConfig, cn=etc, %s" % suffix, ldap.SCOPE_SUBTREE)
|
|
return entry.getValue('ipacertificatesubjectbase')
|
|
|
|
def check_ipa_configuration(realm_name):
|
|
config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
|
|
if not ipautil.dir_exists(config_dir):
|
|
logging.error("could not find directory instance: %s" % config_dir)
|
|
sys.exit(1)
|
|
|
|
def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname, subject_base=None):
|
|
"""realm is the kerberos realm for the IPA server.
|
|
ds_dir is the location of the master DS we are creating a replica for.
|
|
dir is the location of the files for the replica we are creating.
|
|
passwd_fname is the file containing the PKCS#12 password
|
|
fname is the filename of the PKCS#12 file for this cert (minus the .p12).
|
|
hostname is the FQDN of the server we're creating a cert for.
|
|
|
|
The subject is handled by certs.CertDB:create_server_cert()
|
|
"""
|
|
try:
|
|
self_signed = certs.ipa_self_signed()
|
|
|
|
db = certs.CertDB(dir, subject_base=subject_base)
|
|
db.create_passwd_file()
|
|
# if self_signed:
|
|
# ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)))
|
|
# db.create_from_cacert(ca_db.cacert_fname)
|
|
# else:
|
|
# ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=get_host_name())
|
|
ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=get_host_name(), subject_base=subject_base)
|
|
db.create_from_cacert(ca_db.cacert_fname)
|
|
db.create_server_cert("Server-Cert", hostname, ca_db)
|
|
except Exception, e:
|
|
raise e
|
|
|
|
pkcs12_fname = dir + "/" + fname + ".p12"
|
|
|
|
try:
|
|
db.export_pkcs12(pkcs12_fname, passwd_fname, "Server-Cert")
|
|
except ipautil.CalledProcessError, e:
|
|
print "error exporting Server certificate: " + str(e)
|
|
remove_file(pkcs12_fname)
|
|
remove_file(passwd_fname)
|
|
|
|
remove_file(dir + "/cert8.db")
|
|
remove_file(dir + "/key3.db")
|
|
remove_file(dir + "/secmod.db")
|
|
remove_file(dir + "/noise.txt")
|
|
if ipautil.file_exists(passwd_fname + ".orig"):
|
|
remove_file(passwd_fname + ".orig")
|
|
|
|
def export_ra_pkcs12(dir, dm_password):
|
|
"""
|
|
dir is the location of the files for the replica we are creating.
|
|
dm_password is the Directory Manager password
|
|
|
|
If this install is using dogtag/RHCS then export the RA certificate.
|
|
"""
|
|
if certs.ipa_self_signed():
|
|
return
|
|
|
|
(agent_fd, agent_name) = tempfile.mkstemp()
|
|
os.write(agent_fd, dm_password)
|
|
os.close(agent_fd)
|
|
|
|
try:
|
|
try:
|
|
db = certs.CertDB(httpinstance.NSS_DIR, host_name=get_host_name())
|
|
|
|
if db.has_nickname("ipaCert"):
|
|
pkcs12_fname = "%s/ra.p12" % dir
|
|
db.export_pkcs12(pkcs12_fname, agent_name, "ipaCert")
|
|
except Exception, e:
|
|
raise e
|
|
finally:
|
|
os.remove(agent_name)
|
|
|
|
def get_ds_user(ds_dir):
|
|
uid = os.stat(ds_dir).st_uid
|
|
user = pwd.getpwuid(uid)[0]
|
|
|
|
return user
|
|
|
|
def save_config(dir, realm_name, host_name, ds_user, domain_name, dest_host,
|
|
subject_base):
|
|
config = SafeConfigParser()
|
|
config.add_section("realm")
|
|
config.set("realm", "realm_name", realm_name)
|
|
config.set("realm", "master_host_name", host_name)
|
|
config.set("realm", "ds_user", ds_user)
|
|
config.set("realm", "domain_name", domain_name)
|
|
config.set("realm", "destination_host", dest_host)
|
|
config.set("realm", "subject_base", subject_base)
|
|
fd = open(dir + "/realm_info", "w")
|
|
config.write(fd)
|
|
|
|
def remove_file(fname, ignore_errors=True):
|
|
try:
|
|
os.remove(fname)
|
|
except OSError, e:
|
|
if not ignore_errors:
|
|
raise e
|
|
|
|
def copy_files(realm_name, dir):
|
|
config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
|
|
|
|
try:
|
|
shutil.copy("/var/kerberos/krb5kdc/ldappwd", dir + "/ldappwd")
|
|
shutil.copy("/var/kerberos/krb5kdc/kpasswd.keytab", dir + "/kpasswd.keytab")
|
|
shutil.copy("/usr/share/ipa/html/ca.crt", dir + "/ca.crt")
|
|
if ipautil.file_exists("/usr/share/ipa/html/preferences.html"):
|
|
shutil.copy("/usr/share/ipa/html/preferences.html", dir + "/preferences.html")
|
|
shutil.copy("/usr/share/ipa/html/configure.jar", dir + "/configure.jar")
|
|
except Exception, e:
|
|
print "error copying files: " + str(e)
|
|
sys.exit(1)
|
|
|
|
def get_dirman_password():
|
|
return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False)
|
|
|
|
def main():
|
|
options, args = parse_options()
|
|
|
|
replica_fqdn = args[0]
|
|
|
|
# Just initialize the environment. This is so the installer can have
|
|
# access to the plugin environment
|
|
api.env._bootstrap()
|
|
api.env._finalize_core(**dict(DEFAULT_CONFIG))
|
|
|
|
if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki-ca/conf/CS.cfg") and not options.dirsrv_pin:
|
|
sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.")
|
|
|
|
print "Determining current realm name"
|
|
realm_name = get_realm_name()
|
|
if realm_name is None:
|
|
print "Unable to determine default realm"
|
|
sys.exit(1)
|
|
|
|
check_ipa_configuration(realm_name)
|
|
|
|
print "Getting domain name from LDAP"
|
|
domain_name = get_domain_name()
|
|
if domain_name is None:
|
|
print "Unable to determine LDAP default domain"
|
|
sys.exit(1)
|
|
|
|
host_name = get_host_name()
|
|
if host_name == replica_fqdn:
|
|
print "You can't create a replica on itself"
|
|
sys.exit(1)
|
|
ds_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
|
|
ds_user = get_ds_user(ds_dir)
|
|
|
|
# get the directory manager password
|
|
dirman_password = options.password
|
|
if not options.password:
|
|
try:
|
|
dirman_password = get_dirman_password()
|
|
except KeyboardInterrupt:
|
|
sys.exit(0)
|
|
|
|
# Try out the password
|
|
try:
|
|
conn = ipaldap.IPAdmin(host_name)
|
|
conn.do_simple_bind(bindpw=dirman_password)
|
|
conn.unbind()
|
|
except ldap.CONNECT_ERROR, e:
|
|
sys.exit("\nUnable to connect to LDAP server %s" % host_name)
|
|
except ldap.SERVER_DOWN, e:
|
|
sys.exit("\nUnable to connect to LDAP server %s" % host_name)
|
|
except ldap.INVALID_CREDENTIALS, e :
|
|
sys.exit("\nThe password provided is incorrect for LDAP server %s" % host_name)
|
|
|
|
print "Preparing replica for %s from %s" % (replica_fqdn, host_name)
|
|
|
|
subject_base = get_subject_base(host_name, dirman_password, util.realm_to_suffix(realm_name))
|
|
|
|
top_dir = tempfile.mkdtemp("ipa")
|
|
dir = top_dir + "/realm_info"
|
|
os.mkdir(dir, 0700)
|
|
|
|
if options.dirsrv_pin:
|
|
passwd = options.dirsrv_pin
|
|
else:
|
|
passwd = ""
|
|
|
|
passwd_fname = dir + "/dirsrv_pin.txt"
|
|
fd = open(passwd_fname, "w")
|
|
fd.write("%s\n" % passwd)
|
|
fd.close()
|
|
|
|
if options.dirsrv_pkcs12:
|
|
print "Copying SSL certificate for the Directory Server from %s" % options.dirsrv_pkcs12
|
|
try:
|
|
shutil.copy(options.dirsrv_pkcs12, dir + "/dscert.p12")
|
|
except IOError, e:
|
|
print "Copy failed %s" % e
|
|
sys.exit(1)
|
|
else:
|
|
try:
|
|
if not certs.ipa_self_signed():
|
|
# FIXME, need option for location of CA backup
|
|
if ipautil.file_exists("/root/tmp-ca.p12"):
|
|
shutil.copy("/root/tmp-ca.p12", dir + "/ca.p12")
|
|
else:
|
|
raise RuntimeError("Root CA PKCS#12 not found in /root/tmp-ca.p12")
|
|
except IOError, e:
|
|
print "Copy failed %s" % e
|
|
sys.exit(1)
|
|
print "Creating SSL certificate for the Directory Server"
|
|
export_certdb(realm_name, ds_dir, dir, passwd_fname, "dscert", replica_fqdn, subject_base)
|
|
|
|
if options.http_pin:
|
|
passwd = options.http_pin
|
|
else:
|
|
passwd = ""
|
|
|
|
passwd_fname = dir + "/http_pin.txt"
|
|
fd = open(passwd_fname, "w")
|
|
fd.write("%s\n" % passwd)
|
|
fd.close()
|
|
|
|
if options.http_pkcs12:
|
|
print "Copying SSL certificate for the Web Server from %s" % options.http_pkcs12
|
|
try:
|
|
shutil.copy(options.http_pkcs12, dir + "/httpcert.p12")
|
|
except IOError, e:
|
|
print "Copy failed %s" % e
|
|
sys.exit(1)
|
|
else:
|
|
print "Creating SSL certificate for the Web Server"
|
|
export_certdb(realm_name, ds_dir, dir, passwd_fname, "httpcert", replica_fqdn, subject_base)
|
|
print "Exporting RA certificate"
|
|
export_ra_pkcs12(dir, dirman_password)
|
|
|
|
print "Copying additional files"
|
|
copy_files(realm_name, dir)
|
|
|
|
print "Finalizing configuration"
|
|
save_config(dir, realm_name, host_name, ds_user, domain_name, replica_fqdn, subject_base)
|
|
|
|
replicafile = "/var/lib/ipa/replica-info-" + replica_fqdn
|
|
encfile = replicafile+".gpg"
|
|
|
|
print "Packaging replica information into %s" % encfile
|
|
ipautil.run(["/bin/tar", "cf", replicafile, "-C", top_dir, "realm_info"])
|
|
ipautil.encrypt_file(replicafile, encfile, dirman_password, top_dir);
|
|
|
|
remove_file(replicafile)
|
|
shutil.rmtree(dir)
|
|
|
|
try:
|
|
if not os.geteuid()==0:
|
|
sys.exit("\nYou must be root to run this script.\n")
|
|
|
|
main()
|
|
except SystemExit, e:
|
|
sys.exit(e)
|
|
except Exception, e:
|
|
print "preparation of replica failed: %s" % str(e)
|
|
message = str(e)
|
|
for str in traceback.format_tb(sys.exc_info()[2]):
|
|
message = message + "\n" + str
|
|
logging.debug(message)
|
|
print message
|
|
sys.exit(1)
|