summaryrefslogtreecommitdiffstats
path: root/ipa-client/ipa-install
diff options
context:
space:
mode:
authorJan Cholasta <jcholast@redhat.com>2014-10-07 19:07:13 +0200
committerPetr Vobornik <pvoborni@redhat.com>2014-10-16 19:11:52 +0200
commitca7e0c270f5e3b685fd2fbe34b676e85c373c5d0 (patch)
treefc656b118e972bacb05a9786ab9cf54bb64327cf /ipa-client/ipa-install
parent4333a623da4190a7e59e7397159e8200d131904b (diff)
downloadfreeipa-ca7e0c270f5e3b685fd2fbe34b676e85c373c5d0.tar.gz
freeipa-ca7e0c270f5e3b685fd2fbe34b676e85c373c5d0.tar.xz
freeipa-ca7e0c270f5e3b685fd2fbe34b676e85c373c5d0.zip
Add ipa-client-install switch --request-cert to request cert for the host
The certificate is stored in /etc/ipa/nssdb under the nickname "Local IPA host". https://fedorahosted.org/freeipa/ticket/4550 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Diffstat (limited to 'ipa-client/ipa-install')
-rwxr-xr-xipa-client/ipa-install/ipa-client-install105
1 files changed, 93 insertions, 12 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 2e59df995..3b6e581c7 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -74,8 +74,6 @@ SSH_AUTHORIZEDKEYSCOMMAND = paths.SSS_SSH_AUTHORIZEDKEYS
SSH_PROXYCOMMAND = paths.SSS_SSH_KNOWNHOSTSPROXY
SSH_KNOWNHOSTSFILE = paths.SSSD_PUBCONF_KNOWN_HOSTS
-client_nss_nickname_format = 'IPA Machine Certificate - %s'
-
def parse_options():
def validate_ca_cert_file_option(option, opt, value, parser):
if not os.path.exists(value):
@@ -158,6 +156,9 @@ def parse_options():
basic_group.add_option("--ca-cert-file", dest="ca_cert_file",
type="string", action="callback", callback=validate_ca_cert_file_option,
help="load the CA certificate from this file")
+ basic_group.add_option("--request-cert", dest="request_cert",
+ action="store_true", default=False,
+ help="request certificate for the machine")
# --on-master is used in ipa-server-install and ipa-replica-install
# only, it isn't meant to be used on clients.
basic_group.add_option("--on-master", dest="on_master", action="store_true",
@@ -482,11 +483,11 @@ def uninstall(options, env):
if hostname is None:
hostname = socket.getfqdn()
- client_nss_nickname = client_nss_nickname_format % hostname
+ ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
+ sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
# Always start certmonger. We can't untrack something if it isn't
- # running. Note that this is legacy code to untrack any certificates
- # that were created by previous versions of this installer.
+ # running
messagebus = services.knownservices.messagebus
try:
messagebus.start()
@@ -499,14 +500,24 @@ def uninstall(options, env):
except Exception, e:
log_service_error(cmonger.service_name, 'start', e)
- try:
- certmonger.stop_tracking(paths.NSS_DB_DIR, nickname=client_nss_nickname)
- except (CalledProcessError, RuntimeError), e:
- root_logger.error("%s failed to stop tracking certificate: %s",
- cmonger.service_name, str(e))
+ if ipa_db.has_nickname('Local IPA host'):
+ try:
+ certmonger.stop_tracking(paths.IPA_NSSDB_DIR,
+ nickname='Local IPA host')
+ except RuntimeError, e:
+ root_logger.error("%s failed to stop tracking certificate: %s",
+ cmonger.service_name, e)
+
+ client_nss_nickname = 'IPA Machine Certificate - %s' % hostname
+ if sys_db.has_nickname(client_nss_nickname):
+ try:
+ certmonger.stop_tracking(paths.NSS_DB_DIR,
+ nickname=client_nss_nickname)
+ except RuntimeError, e:
+ root_logger.error("%s failed to stop tracking certificate: %s",
+ cmonger.service_name, e)
# Remove our host cert and CA cert
- ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
try:
ipa_certs = ipa_db.list_certs()
except CalledProcessError, e:
@@ -523,7 +534,6 @@ def uninstall(options, env):
except OSError, e:
root_logger.error("Failed to remove %s: %s", filename, e)
- sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
for nickname, trust_flags in ipa_certs:
while sys_db.has_nickname(nickname):
try:
@@ -1082,6 +1092,75 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
return 0
+def configure_certmonger(fstore, subject_base, cli_realm, hostname, options,
+ remote_env):
+ if not options.request_cert:
+ return
+
+ if not remote_env['enable_ra']:
+ root_logger.warning(
+ "An RA is not configured on the server. "
+ "Not requesting host certificate.")
+ return
+
+ started = True
+ principal = 'host/%s@%s' % (hostname, cli_realm)
+
+ messagebus = services.knownservices.messagebus
+ try:
+ messagebus.start()
+ except Exception, e:
+ log_service_error(messagebus.service_name, 'start', e)
+
+ # Ensure that certmonger has been started at least once to generate the
+ # cas files in /var/lib/certmonger/cas.
+ cmonger = services.knownservices.certmonger
+ try:
+ cmonger.restart()
+ except Exception, e:
+ log_service_error(cmonger.service_name, 'restart', e)
+
+ if options.hostname:
+ # It needs to be stopped if we touch them
+ try:
+ cmonger.stop()
+ except Exception, e:
+ log_service_error(cmonger.service_name, 'stop', e)
+ # If the hostname is explicitly set then we need to tell certmonger
+ # which principal name to use when requesting certs.
+ certmonger.add_principal_to_cas(principal)
+
+ try:
+ cmonger.restart()
+ except Exception, e:
+ log_service_error(cmonger.service_name, 'restart', e)
+ root_logger.warning(
+ "Automatic certificate management will not be available")
+ started = False
+
+ try:
+ cmonger.enable()
+ except Exception, e:
+ root_logger.error(
+ "Failed to configure automatic startup of the %s daemon: %s",
+ cmonger.service_name, str(e))
+ root_logger.warning(
+ "Automatic certificate management will not be available")
+
+ # Request our host cert
+ if started:
+ subject = str(DN(('CN', hostname), subject_base))
+ passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt')
+ try:
+ certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR,
+ nickname='Local IPA host',
+ subject=subject,
+ principal=principal,
+ passwd_fname=passwd_fname)
+ except Exception:
+ root_logger.error("%s request for host certificate failed",
+ cmonger.service_name)
+
def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain, client_hostname):
try:
sssdconfig = SSSDConfig.SSSDConfig()
@@ -2612,6 +2691,8 @@ def install(options, env, fstore, statestore):
if not options.on_master:
client_dns(cli_server[0], hostname, options.dns_updates)
+ configure_certmonger(fstore, subject_base, cli_realm, hostname,
+ options, remote_env)
update_ssh_keys(cli_server[0], hostname, services.knownservices.sshd.get_config_dir(), options.create_sshfp)