Add ipa-client-install switch --request-cert to request cert for the host

The certificate is stored in /etc/ipa/nssdb under the nickname
"Local IPA host".

https://fedorahosted.org/freeipa/ticket/4550

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>

2 files changed, 97 insertions, 12 deletions

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 2e59df995..3b6e581c7 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -74,8 +74,6 @@ SSH_AUTHORIZEDKEYSCOMMAND = paths.SSS_SSH_AUTHORIZEDKEYS
 SSH_PROXYCOMMAND = paths.SSS_SSH_KNOWNHOSTSPROXY
 SSH_KNOWNHOSTSFILE = paths.SSSD_PUBCONF_KNOWN_HOSTS
 
-client_nss_nickname_format = 'IPA Machine Certificate - %s'
-
 def parse_options():
     def validate_ca_cert_file_option(option, opt, value, parser):
         if not os.path.exists(value):
@@ -158,6 +156,9 @@ def parse_options():
     basic_group.add_option("--ca-cert-file", dest="ca_cert_file",
                            type="string", action="callback", callback=validate_ca_cert_file_option,
                            help="load the CA certificate from this file")
+    basic_group.add_option("--request-cert", dest="request_cert",
+                           action="store_true", default=False,
+                           help="request certificate for the machine")
     # --on-master is used in ipa-server-install and ipa-replica-install
     # only, it isn't meant to be used on clients.
     basic_group.add_option("--on-master", dest="on_master", action="store_true",
@@ -482,11 +483,11 @@ def uninstall(options, env):
     if hostname is None:
         hostname = socket.getfqdn()
 
-    client_nss_nickname = client_nss_nickname_format % hostname
+    ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
+    sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
 
     # Always start certmonger. We can't untrack something if it isn't
-    # running. Note that this is legacy code to untrack any certificates
-    # that were created by previous versions of this installer.
+    # running
     messagebus = services.knownservices.messagebus
     try:
         messagebus.start()
@@ -499,14 +500,24 @@ def uninstall(options, env):
     except Exception, e:
         log_service_error(cmonger.service_name, 'start', e)
 
-    try:
-        certmonger.stop_tracking(paths.NSS_DB_DIR, nickname=client_nss_nickname)
-    except (CalledProcessError, RuntimeError), e:
-        root_logger.error("%s failed to stop tracking certificate: %s",
-            cmonger.service_name, str(e))
+    if ipa_db.has_nickname('Local IPA host'):
+        try:
+            certmonger.stop_tracking(paths.IPA_NSSDB_DIR,
+                                     nickname='Local IPA host')
+        except RuntimeError, e:
+            root_logger.error("%s failed to stop tracking certificate: %s",
+                              cmonger.service_name, e)
+
+    client_nss_nickname = 'IPA Machine Certificate - %s' % hostname
+    if sys_db.has_nickname(client_nss_nickname):
+        try:
+            certmonger.stop_tracking(paths.NSS_DB_DIR,
+                                     nickname=client_nss_nickname)
+        except RuntimeError, e:
+            root_logger.error("%s failed to stop tracking certificate: %s",
+                              cmonger.service_name, e)
 
     # Remove our host cert and CA cert
-    ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
     try:
         ipa_certs = ipa_db.list_certs()
     except CalledProcessError, e:
@@ -523,7 +534,6 @@ def uninstall(options, env):
         except OSError, e:
             root_logger.error("Failed to remove %s: %s", filename, e)
 
-    sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
     for nickname, trust_flags in ipa_certs:
         while sys_db.has_nickname(nickname):
             try:
@@ -1082,6 +1092,75 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
 
     return 0
 
+def configure_certmonger(fstore, subject_base, cli_realm, hostname, options,
+                         remote_env):
+    if not options.request_cert:
+        return
+
+    if not remote_env['enable_ra']:
+        root_logger.warning(
+            "An RA is not configured on the server. "
+            "Not requesting host certificate.")
+        return
+
+    started = True
+    principal = 'host/%s@%s' % (hostname, cli_realm)
+
+    messagebus = services.knownservices.messagebus
+    try:
+        messagebus.start()
+    except Exception, e:
+        log_service_error(messagebus.service_name, 'start', e)
+
+    # Ensure that certmonger has been started at least once to generate the
+    # cas files in /var/lib/certmonger/cas.
+    cmonger = services.knownservices.certmonger
+    try:
+        cmonger.restart()
+    except Exception, e:
+        log_service_error(cmonger.service_name, 'restart', e)
+
+    if options.hostname:
+        # It needs to be stopped if we touch them
+        try:
+            cmonger.stop()
+        except Exception, e:
+            log_service_error(cmonger.service_name, 'stop', e)
+        # If the hostname is explicitly set then we need to tell certmonger
+        # which principal name to use when requesting certs.
+        certmonger.add_principal_to_cas(principal)
+
+    try:
+        cmonger.restart()
+    except Exception, e:
+        log_service_error(cmonger.service_name, 'restart', e)
+        root_logger.warning(
+            "Automatic certificate management will not be available")
+        started = False
+
+    try:
+        cmonger.enable()
+    except Exception, e:
+        root_logger.error(
+            "Failed to configure automatic startup of the %s daemon: %s",
+            cmonger.service_name, str(e))
+        root_logger.warning(
+            "Automatic certificate management will not be available")
+
+    # Request our host cert
+    if started:
+        subject = str(DN(('CN', hostname), subject_base))
+        passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt')
+        try:
+            certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR,
+                                    nickname='Local IPA host',
+                                    subject=subject,
+                                    principal=principal,
+                                    passwd_fname=passwd_fname)
+        except Exception:
+            root_logger.error("%s request for host certificate failed",
+                              cmonger.service_name)
+
 def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain, client_hostname):
     try:
         sssdconfig = SSSDConfig.SSSDConfig()
@@ -2612,6 +2691,8 @@ def install(options, env, fstore, statestore):
 
     if not options.on_master:
         client_dns(cli_server[0], hostname, options.dns_updates)
+        configure_certmonger(fstore, subject_base, cli_realm, hostname,
+                             options, remote_env)
 
     update_ssh_keys(cli_server[0], hostname, services.knownservices.sshd.get_config_dir(), options.create_sshfp)
 
diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1
index 279d66ad6..726a6c133 100644
--- a/ipa-client/man/ipa-client-install.1
+++ b/ipa-client/man/ipa-client-install.1
@@ -166,6 +166,9 @@ file. The CA certificate found in \fICA_FILE\fR is considered
 authoritative and will be installed without checking to see if it's
 valid for the IPA domain.
 .TP
+\fB\-\-request\-cert\fR
+Request certificate for the machine. The certificate will be stored in /etc/ipa/nssdb under the nickname "Local IPA host".
+.TP
 \fB\-\-automount\-location\fR=\fILOCATION\fR
 Configure automount by running ipa\-client\-automount(1) with \fILOCATION\fR as
 automount location.
@@ -226,6 +229,7 @@ Files always created (replacing existing content):
 /etc/krb5.conf\p
 /etc/ipa/ca.crt\p
 /etc/ipa/default.conf\p
+/etc/ipa/nssdb\p
 /etc/openldap/ldap.conf\p
 .TP
 Files updated, existing content is maintained: