diff options
author | Rob Crittenden <rcritten@redhat.com> | 2014-12-02 13:18:36 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2013-01-29 11:16:38 -0500 |
commit | 045b6e6ed995b4c1e5dab8dbcdf1af4896b52d19 (patch) | |
tree | ba63a832f67c4c9a8ceee62669b52dd37a853680 /install/restart_scripts/renew_ra_cert | |
parent | b382a77fc393a078ebbba8000284dd9abe75a3d5 (diff) | |
download | freeipa-045b6e6ed995b4c1e5dab8dbcdf1af4896b52d19.tar.gz freeipa-045b6e6ed995b4c1e5dab8dbcdf1af4896b52d19.tar.xz freeipa-045b6e6ed995b4c1e5dab8dbcdf1af4896b52d19.zip |
Use new certmonger locking to prevent NSS database corruption.
dogtag opens its NSS database in read/write mode so we need to be very
careful during renewal that we don't also open it up read/write. We
basically need to serialize access to the database. certmonger does the
majority of this work via internal locking from the point where it generates
a new key/submits a rewewal through the pre_save and releases the lock after
the post_save command. This lock is held per NSS database so we're save
from certmonger. dogtag needs to be shutdown in the pre_save state so
certmonger can safely add the certificate and we can manipulate trust
in the post_save command.
Fix a number of bugs in renewal. The CA wasn't actually being restarted
at all due to a naming change upstream. In python we need to reference
services using python-ish names but the service is pki-cad. We need a
translation for non-Fedora systems as well.
Update the CA ou=People entry when he CA subsystem certificate is
renewed. This certificate is used as an identity certificate to bind
to the DS instance.
https://fedorahosted.org/freeipa/ticket/3292
https://fedorahosted.org/freeipa/ticket/3322
Diffstat (limited to 'install/restart_scripts/renew_ra_cert')
-rw-r--r-- | install/restart_scripts/renew_ra_cert | 54 |
1 files changed, 5 insertions, 49 deletions
diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert index 1f359062b..a70ba5c1a 100644 --- a/install/restart_scripts/renew_ra_cert +++ b/install/restart_scripts/renew_ra_cert @@ -25,13 +25,11 @@ import tempfile import syslog import time from ipapython import services as ipaservices -from ipapython.certmonger import get_pin from ipapython import ipautil from ipaserver.install import certs -from ipaserver.install.cainstance import DEFAULT_DSPORT +from ipaserver.install.cainstance import update_people_entry from ipalib import api from ipapython.dn import DN -from ipalib import x509 from ipalib import errors from ipaserver.plugins.ldap2 import ldap2 import ldap as _ldap @@ -41,52 +39,10 @@ api.finalize() # Fetch the new certificate db = certs.CertDB(api.env.realm) -cert = db.get_cert_from_db('ipaCert', pem=False) -serial_number = x509.get_serial_number(cert, datatype=x509.DER) -subject = x509.get_subject(cert, datatype=x509.DER) -issuer = x509.get_issuer(cert, datatype=x509.DER) +dercert = db.get_cert_from_db('ipaCert', pem=False) # Load it into dogtag -dn = DN(('uid','ipara'),('ou','People'),('o','ipaca')) - -try: - dm_password = get_pin('internaldb') -except IOError, e: - syslog.syslog(syslog.LOG_ERR, 'Unable to determine PIN for CA instance: %s' % e) - sys.exit(1) - -attempts = 0 -dogtag_uri='ldap://localhost:%d' % DEFAULT_DSPORT -updated = False - -while attempts < 10: - conn = None - try: - conn = ldap2(shared_instance=False, ldap_uri=dogtag_uri) - conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=dm_password) - (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'], normalize=False) - entry_attrs['usercertificate'].append(cert) - entry_attrs['description'] = '2;%d;%s;%s' % (serial_number, issuer, subject) - conn.update_entry(dn, entry_attrs, normalize=False) - updated = True - break - except errors.NetworkError: - syslog.syslog(syslog.LOG_ERR, 'Connection to %s failed, sleeping 30s' % dogtag_uri) - time.sleep(30) - attempts += 1 - except errors.EmptyModlist: - updated = True - break - except Exception, e: - syslog.syslog(syslog.LOG_ERR, 'Updating agent entry failed: %s' % e) - break - finally: - if conn.isconnected(): - conn.disconnect() - -if not updated: - syslog.syslog(syslog.LOG_ERR, '%s: Giving up. This script may be safely re-executed.' % sys.argv[0]) - sys.exit(1) +update_people_entry('ipara', dercert) attempts = 0 updated = False @@ -104,11 +60,11 @@ while attempts < 10: conn.connect(ccache=ccache) try: (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate']) - entry_attrs['usercertificate'] = cert + entry_attrs['usercertificate'] = dercert conn.update_entry(dn, entry_attrs, normalize=False) except errors.NotFound: entry_attrs = dict(objectclass=['top', 'pkiuser', 'nscontainer'], - usercertificate=cert) + usercertificate=dercert) conn.add_entry(dn, entry_attrs, normalize=False) except errors.EmptyModlist: pass |