Use certmonger to renew CA subsystem certificates

Certificate renewal can be done only one one CA as the certificates need
to be shared amongst them. certmonger has been trained to communicate
directly with dogtag to perform the renewals. The initial CA installation
is the defacto certificate renewal master.

A copy of the certificate is stored in the IPA LDAP tree in
cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the
certificate, when a certificate is renewed. Only the most current
certificate is stored. It is valid to have no certificates there, it means
that no renewals have taken place.

The clones are configured with a new certmonger CA type that polls this
location in the IPA tree looking for an updated certificate. If one is
not found then certmonger is put into the CA_WORKING state and will poll
every 8 hours until an updated certificate is available.

The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case.
When this certificate is updated we also need to update its entry in
the dogtag tree, adding the updated certificate and telling dogtag which
certificate to use. This is the certificate that lets IPA issue
certificates.

On upgrades we check to see if the certificate tracking is already in
place. If not then we need to determine if this is the master that will
do the renewals or not. This decision is made based on whether it was
the first master installed. It is concievable that this master is no
longer available meaning that none are actually tracking renewal. We
will need to document this.

https://fedorahosted.org/freeipa/ticket/2803

2 files changed, 94 insertions, 0 deletions

diff --git a/install/certmonger/Makefile.am b/install/certmonger/Makefile.am
new file mode 100644
index 000000000..2023a2aec
--- /dev/null
+++ b/install/certmonger/Makefile.am
@@ -0,0 +1,14 @@
+NULL =
+
+appdir = $(libexecdir)/certmonger/
+app_SCRIPTS =					\
+	dogtag-ipa-retrieve-agent-submit	\
+	$(NULL)
+
+EXTRA_DIST =				\
+	$(app_SCRIPTS)			\
+	$(NULL)
+
+MAINTAINERCLEANFILES =			\
+	*~				\
+	Makefile.in
diff --git a/install/certmonger/dogtag-ipa-retrieve-agent-submit b/install/certmonger/dogtag-ipa-retrieve-agent-submit
new file mode 100644
index 000000000..24e1844a5
--- /dev/null
+++ b/install/certmonger/dogtag-ipa-retrieve-agent-submit
@@ -0,0 +1,80 @@
+#!/usr/bin/python -E
+#
+# Authors:
+#   Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2012  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# The certificate rewewal is done on only one dogtag CA. The others
+# retrieve the updated certificate from IPA.
+
+import os
+import sys
+import shutil
+import tempfile
+import krbV
+import syslog
+from ipalib import api
+from ipalib.dn import DN
+from ipalib import errors
+from ipalib import x509
+from ipapython import services as ipaservices
+from ipapython import ipautil
+from ipaserver.install import certs
+from ipaserver.plugins.ldap2 import ldap2
+import base64
+
+# We cheat and pass in the nickname as the CA profile to execute against.
+# Some way is needed to determine which entry to retrieve from LDAP
+operation = os.environ.get('CERTMONGER_OPERATION')
+nickname = os.environ.get('CERTMONGER_CA_PROFILE')
+
+if operation not in ['SUBMIT', 'POLL']:
+    sys.exit(6) # unsupported operation
+
+api.bootstrap(context='renew')
+api.finalize()
+
+# Update or add it
+tmpdir = tempfile.mkdtemp(prefix = "tmp-")
+try:
+    dn = str(DN(('cn',nickname),('cn=ca_renewal,cn=ipa,cn=etc'),(api.env.basedn)))
+    principal = str('host/%s@%s' % (api.env.host, api.env.realm))
+    ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal)
+    conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri)
+    conn.connect(ccache=ccache)
+    try:
+        syslog.syslog(syslog.LOG_NOTICE, "Updating certificate for %s" % nickname)
+        (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'])
+        cert = entry_attrs['usercertificate'][0]
+        cert = base64.b64encode(cert)
+        print x509.make_pem(cert)
+    except errors.NotFound:
+        syslog.syslog(syslog.LOG_INFO, "Updated certificate for %s not available" % nickname)
+        # No cert available yet, tell certmonger to wait another 8 hours
+        print 8 * 60 * 60
+        sys.exit(5)
+    finally:
+        conn.disconnect()
+except Exception, e:
+    syslog.syslog(syslog.LOG_ERR, "Exception trying to retrieve %s: %s" % (nickname, e))
+    # Unhandled error
+    sys.exit(3)
+finally:
+    shutil.rmtree(tmpdir)
+
+sys.exit(0)