summaryrefslogtreecommitdiffstats
path: root/install/restart_scripts
diff options
context:
space:
mode:
authorJan Cholasta <jcholast@redhat.com>2014-07-23 13:25:22 +0200
committerPetr Viktorin <pviktori@redhat.com>2014-07-30 16:04:21 +0200
commit03b29b4c8e4109bbfbc1468baa60b521bc32cdb1 (patch)
treeba8c91d3ee2dfc49fed128dcbcfef0dd447d1ff6 /install/restart_scripts
parentd27e77adc56f5a04f3bdd1aaed5440a89ed3acad (diff)
downloadfreeipa-03b29b4c8e4109bbfbc1468baa60b521bc32cdb1.tar.gz
freeipa-03b29b4c8e4109bbfbc1468baa60b521bc32cdb1.tar.xz
freeipa-03b29b4c8e4109bbfbc1468baa60b521bc32cdb1.zip
Update external CA cert in Dogtag NSS DB on IPA CA cert renewal.
Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'install/restart_scripts')
-rw-r--r--install/restart_scripts/renew_ca_cert71
1 files changed, 62 insertions, 9 deletions
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index 3814b816a..2ad203870 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -121,23 +121,76 @@ def main():
else:
syslog.syslog(syslog.LOG_NOTICE, "Not updating CS.cfg")
- # Update CA certificate in LDAP
- if ca.is_renewal_master():
- try:
- conn = ldap2(shared_instance=False,
- ldap_uri=api.env.ldap_uri)
- conn.connect(ccache=ccache)
-
+ # Remove old external CA certificates
+ for ca_nick, ca_flags in db.list_certs():
+ if 'u' in ca_flags:
+ continue
+ # Delete *all* certificates that use the nickname
+ while True:
+ try:
+ db.delete_cert(ca_nick)
+ except ipautil.CalledProcessError:
+ syslog.syslog(
+ syslog.LOG_ERR,
+ "Failed to remove certificate %s" % ca_nick)
+ break
+ if not db.has_nickname(ca_nick):
+ break
+
+ conn = None
+ try:
+ conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri)
+ conn.connect(ccache=ccache)
+ except Exception, e:
+ syslog.syslog(
+ syslog.LOG_ERR, "Failed to connect to LDAP: %s" % e)
+ else:
+ # Update CA certificate in LDAP
+ if ca.is_renewal_master():
try:
certstore.update_ca_cert(conn, api.env.basedn, cert)
except errors.EmptyModlist:
pass
+ except Exception, e:
+ syslog.syslog(
+ syslog.LOG_ERR,
+ "Updating CA certificate failed: %s" % e)
- conn.disconnect()
+ # Add external CA certificates
+ ca_issuer = str(x509.get_issuer(cert, x509.DER))
+ try:
+ ca_certs = certstore.get_ca_certs(
+ conn, api.env.basedn, api.env.realm, False,
+ filter_subject=ca_issuer)
except Exception, e:
syslog.syslog(
syslog.LOG_ERR,
- "Updating CA certificate failed: %s" % e)
+ "Failed to get external CA certificates from LDAP: "
+ "%s" % e)
+ ca_certs = []
+
+ for ca_cert, ca_nick, ca_trusted, ca_eku in ca_certs:
+ ca_subject = DN(str(x509.get_subject(ca_cert, x509.DER)))
+ nick_base = ' - '.join(rdn[-1].value for rdn in ca_subject)
+ nick = nick_base
+ i = 1
+ while db.has_nickname(nick):
+ nick = '%s [%s]' % (nick_base, i)
+ i += 1
+ if ca_trusted is False:
+ flags = 'p,p,p'
+ else:
+ flags = 'CT,c,'
+
+ try:
+ db.add_cert(ca_cert, nick, flags)
+ except ipautil.CalledProcessError, e:
+ syslog.syslog(
+ syslog.LOG_ERR,
+ "Failed to add certificate %s" % ca_nick)
+ finally:
+ if conn is not None and conn.isconnected():
+ conn.disconnect()
finally:
shutil.rmtree(tmpdir)
generated by cgit (git 2.34.1) at 2024-05-07 22:54:19 +0000