diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2014-07-18 11:01:13 +0200 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-07-30 16:04:21 +0200 |
| commit | 7086183519bd82ef1e277ceb3ee45438c6695159 (patch) | |
| tree | 8dd3dc02dc220a7829a414506333862234e591df /install/restart_scripts | |
| parent | e16d2623aee089f07854ffc32b976e45d17c03ff (diff) | |
| download | freeipa-7086183519bd82ef1e277ceb3ee45438c6695159.tar.gz freeipa-7086183519bd82ef1e277ceb3ee45438c6695159.tar.xz freeipa-7086183519bd82ef1e277ceb3ee45438c6695159.zip | |
Do not use ldapi in certificate renewal scripts.
This prevents SELinux denials when accessing the ldapi socket.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'install/restart_scripts')
| -rw-r--r-- | install/restart_scripts/renew_ca_cert | 83 | ||||
| -rw-r--r-- | install/restart_scripts/renew_ra_cert | 35 |
2 files changed, 67 insertions, 51 deletions
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index 9e63ef8da..b66cfa292 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -72,50 +72,53 @@ def main(): cainstance.update_cert_config(nickname, cert, configured_constants) - ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) - if ca.is_renewal_master(): - cainstance.update_people_entry(cert) - - if nickname == 'auditSigningCert cert-pki-ca': - # Fix trust on the audit cert - try: - db.run_certutil(['-M', - '-n', nickname, - '-t', 'u,u,Pu']) - syslog.syslog( - syslog.LOG_NOTICE, - "Updated trust on certificate %s in %s" % (nickname, db.secdir)) - except ipautil.CalledProcessError: - syslog.syslog( - syslog.LOG_ERR, - "Updating trust on certificate %s failed in %s" % - (nickname, db.secdir)) - elif nickname == 'caSigningCert cert-pki-ca' and ca.is_renewal_master(): - # Update CA certificate in LDAP - tmpdir = tempfile.mkdtemp(prefix="tmp-") - try: - principal = str('host/%s@%s' % (api.env.host, api.env.realm)) - ccache = ipautil.kinit_hostprincipal(paths.KRB5_KEYTAB, tmpdir, - principal) + tmpdir = tempfile.mkdtemp(prefix="tmp-") + try: + principal = str('host/%s@%s' % (api.env.host, api.env.realm)) + ccache = ipautil.kinit_hostprincipal(paths.KRB5_KEYTAB, tmpdir, + principal) - conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri) - conn.connect(ccache=ccache) + ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False) + if ca.is_renewal_master(): + cainstance.update_people_entry(cert) - dn = DN(('cn', 'CAcert'), ('cn', 'ipa'), ('cn', 'etc'), - api.env.basedn) + if nickname == 'auditSigningCert cert-pki-ca': + # Fix trust on the audit cert + try: + db.run_certutil(['-M', + '-n', nickname, + '-t', 'u,u,Pu']) + syslog.syslog( + syslog.LOG_NOTICE, + "Updated trust on certificate %s in %s" % + (nickname, db.secdir)) + except ipautil.CalledProcessError: + syslog.syslog( + syslog.LOG_ERR, + "Updating trust on certificate %s failed in %s" % + (nickname, db.secdir)) + elif nickname == 'caSigningCert cert-pki-ca' and ca.is_renewal_master(): + # Update CA certificate in LDAP try: - entry = conn.get_entry(dn, attrs_list=['cACertificate;binary']) - entry['cACertificate;binary'] = [cert] - conn.update_entry(entry) - except errors.EmptyModlist: - pass + conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri) + conn.connect(ccache=ccache) - conn.disconnect() - except Exception, e: - syslog.syslog( - syslog.LOG_ERR, "Updating CA certificate failed: %s" % e) - finally: - shutil.rmtree(tmpdir) + dn = DN(('cn', 'CAcert'), ('cn', 'ipa'), ('cn', 'etc'), + api.env.basedn) + try: + entry = conn.get_entry( + dn, attrs_list=['cACertificate;binary']) + entry['cACertificate;binary'] = [cert] + conn.update_entry(entry) + except errors.EmptyModlist: + pass + + conn.disconnect() + except Exception, e: + syslog.syslog( + syslog.LOG_ERR, "Updating CA certificate failed: %s" % e) + finally: + shutil.rmtree(tmpdir) # Now we can start the CA. Using the services start should fire # off the servlet to verify that the CA is actually up and responding so diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert index fb4470588..6d4b81a53 100644 --- a/install/restart_scripts/renew_ra_cert +++ b/install/restart_scripts/renew_ra_cert @@ -22,11 +22,15 @@ import sys import syslog +import tempfile +import shutil import traceback +from ipapython import ipautil from ipalib import api from ipaserver.install import certs, cainstance from ipaplatform import services +from ipaplatform.paths import paths nickname = 'ipaCert' @@ -34,17 +38,26 @@ def main(): api.bootstrap(context='restart') api.finalize() - ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) - if ca.is_renewal_master(): - # Fetch the new certificate - db = certs.CertDB(api.env.realm) - dercert = db.get_cert_from_db(nickname, pem=False) - if not dercert: - syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname) - sys.exit(1) - - # Load it into dogtag - cainstance.update_people_entry(dercert) + tmpdir = tempfile.mkdtemp(prefix="tmp-") + try: + principal = str('host/%s@%s' % (api.env.host, api.env.realm)) + ccache = ipautil.kinit_hostprincipal(paths.KRB5_KEYTAB, tmpdir, + principal) + + ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False) + if ca.is_renewal_master(): + # Fetch the new certificate + db = certs.CertDB(api.env.realm) + dercert = db.get_cert_from_db(nickname, pem=False) + if not dercert: + syslog.syslog( + syslog.LOG_ERR, "No certificate %s found." % nickname) + sys.exit(1) + + # Load it into dogtag + cainstance.update_people_entry(dercert) + finally: + shutil.rmtree(tmpdir) # Now restart Apache so the new certificate is available syslog.syslog(syslog.LOG_NOTICE, "Restarting httpd") |