diff options
author | Jan Cholasta <jcholast@redhat.com> | 2014-03-12 11:32:59 +0100 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-07-30 16:04:21 +0200 |
commit | 9393c3978e1dc2beaa88331db1f30021c44f526b (patch) | |
tree | ae931958332744311de60f05a72ae8e3a8b10426 /install/restart_scripts | |
parent | 73d8db6d92d2c1b44b6d7f07d28eef13c344aa8a (diff) | |
download | freeipa-9393c3978e1dc2beaa88331db1f30021c44f526b.tar.gz freeipa-9393c3978e1dc2beaa88331db1f30021c44f526b.tar.xz freeipa-9393c3978e1dc2beaa88331db1f30021c44f526b.zip |
Automatically update CA certificate in LDAP on renewal.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'install/restart_scripts')
-rw-r--r-- | install/restart_scripts/renew_ca_cert | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index a4959bed9..9e63ef8da 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -28,10 +28,12 @@ import shutil import traceback from ipapython import dogtag, certmonger, ipautil +from ipapython.dn import DN from ipalib import api, errors, x509, util from ipaserver.install import certs, cainstance, installutils from ipaserver.plugins.ldap2 import ldap2 from ipaplatform import services +from ipaplatform.paths import paths def main(): nickname = sys.argv[1] @@ -88,6 +90,32 @@ def main(): syslog.LOG_ERR, "Updating trust on certificate %s failed in %s" % (nickname, db.secdir)) + elif nickname == 'caSigningCert cert-pki-ca' and ca.is_renewal_master(): + # Update CA certificate in LDAP + tmpdir = tempfile.mkdtemp(prefix="tmp-") + try: + principal = str('host/%s@%s' % (api.env.host, api.env.realm)) + ccache = ipautil.kinit_hostprincipal(paths.KRB5_KEYTAB, tmpdir, + principal) + + conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri) + conn.connect(ccache=ccache) + + dn = DN(('cn', 'CAcert'), ('cn', 'ipa'), ('cn', 'etc'), + api.env.basedn) + try: + entry = conn.get_entry(dn, attrs_list=['cACertificate;binary']) + entry['cACertificate;binary'] = [cert] + conn.update_entry(entry) + except errors.EmptyModlist: + pass + + conn.disconnect() + except Exception, e: + syslog.syslog( + syslog.LOG_ERR, "Updating CA certificate failed: %s" % e) + finally: + shutil.rmtree(tmpdir) # Now we can start the CA. Using the services start should fire # off the servlet to verify that the CA is actually up and responding so |