diff options
author | Jan Cholasta <jcholast@redhat.com> | 2013-10-16 08:40:31 +0000 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-03-25 16:54:55 +0100 |
commit | 6a19738a4560ffbfe5a70699d787c4a44a9518c5 (patch) | |
tree | 0dedb215bd13f7f17a63a6166f18e31a60334e0c /install/restart_scripts/renew_ra_cert | |
parent | a356c3806b4e98207fa7d729ad921aded0a34c62 (diff) | |
download | freeipa-6a19738a4560ffbfe5a70699d787c4a44a9518c5.tar.gz freeipa-6a19738a4560ffbfe5a70699d787c4a44a9518c5.tar.xz freeipa-6a19738a4560ffbfe5a70699d787c4a44a9518c5.zip |
Use dogtag-ipa-ca-renew-agent to track certificates on master CA.
Before, dogtag-ipa-renew-agent was used to track the certificates and the
certificates were stored to LDAP in renew_ca_cert and renew_ra_cert. Since
dogtag-ipa-ca-renew-agent can store the certificates itself, the storage code
was removed from renew_ca_cert and renew_ra_cert.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'install/restart_scripts/renew_ra_cert')
-rw-r--r-- | install/restart_scripts/renew_ra_cert | 70 |
1 files changed, 15 insertions, 55 deletions
diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert index 7628e9b9e..7dc2c57e7 100644 --- a/install/restart_scripts/renew_ra_cert +++ b/install/restart_scripts/renew_ra_cert @@ -2,8 +2,9 @@ # # Authors: # Rob Crittenden <rcritten@redhat.com> +# Jan Cholasta <jcholast@redhat.com> # -# Copyright (C) 2012 Red Hat +# Copyright (C) 2013 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or modify @@ -20,19 +21,14 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import sys -import shutil -import tempfile import syslog -import time import traceback + from ipapython import services as ipaservices -from ipapython import ipautil -from ipaserver.install import certs -from ipaserver.install.cainstance import update_people_entry from ipalib import api -from ipapython.dn import DN -from ipalib import errors -from ipaserver.plugins.ldap2 import ldap2 +from ipaserver.install import certs, cainstance + +nickname = 'ipaCert' def main(): api.bootstrap(context='restart') @@ -40,58 +36,22 @@ def main(): # Fetch the new certificate db = certs.CertDB(api.env.realm) - dercert = db.get_cert_from_db('ipaCert', pem=False) + dercert = db.get_cert_from_db(nickname, pem=False) + if not dercert: + syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname) + sys.exit(1) # Load it into dogtag - update_people_entry(dercert) - - attempts = 0 - updated = False - - # Store it in the IPA LDAP server - while attempts < 10: - conn = None - tmpdir = None - try: - tmpdir = tempfile.mkdtemp(prefix="tmp-") - dn = DN(('cn','ipaCert'), ('cn', 'ca_renewal'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) - principal = str('host/%s@%s' % (api.env.host, api.env.realm)) - ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal) - conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri) - conn.connect(ccache=ccache) - try: - entry_attrs = conn.get_entry(dn, ['usercertificate']) - entry_attrs['usercertificate'] = dercert - conn.update_entry(entry_attrs) - except errors.NotFound: - entry_attrs = conn.make_entry( - dn, - objectclass=['top', 'pkiuser', 'nscontainer'], - usercertificate=[dercert]) - conn.add_entry(entry_attrs) - except errors.EmptyModlist: - pass - updated = True - break - except Exception, e: - syslog.syslog(syslog.LOG_ERR, 'Updating renewal certificate failed: %s. Sleeping 30s' % e) - time.sleep(30) - attempts += 1 - finally: - if conn is not None and conn.isconnected(): - conn.disconnect() - if tmpdir is not None: - shutil.rmtree(tmpdir) - - if not updated: - syslog.syslog(syslog.LOG_ERR, '%s: Giving up. This script may be safely re-executed.' % sys.argv[0]) - sys.exit(1) + cainstance.update_people_entry(dercert) # Now restart Apache so the new certificate is available + syslog.syslog(syslog.LOG_NOTICE, "Restarting httpd") try: ipaservices.knownservices.httpd.restart() except Exception, e: - syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % str(e)) + syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % e) + else: + syslog.syslog(syslog.LOG_NOTICE, "Restarted httpd") try: main() |