diff options
author | Rob Crittenden <rcritten@redhat.com> | 2010-09-08 22:11:31 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2010-09-09 16:38:45 -0400 |
commit | 2e8bae590eae495628ffb709540f7e83eee52ba2 (patch) | |
tree | 8426fdb320a4f383a0a6e5de42fb56c40bdc2211 /ipalib/plugins/cert.py | |
parent | 3a022fe51043f71bdb50aefea828377b8f0c09fb (diff) | |
download | freeipa-2e8bae590eae495628ffb709540f7e83eee52ba2.tar.gz freeipa-2e8bae590eae495628ffb709540f7e83eee52ba2.tar.xz freeipa-2e8bae590eae495628ffb709540f7e83eee52ba2.zip |
Have certmonger track the initial Apache and 389-ds server certs.
We don't use certmonger to get certificates during installation because
of the chicken-and-egg problem. This means that the IPA web and ldap
certs aren't being tracked for renewal.
This requires some manual changes to the certmonger request files once
tracking has begun because it doesn't store a subject or principal template
when a cert is added via start-tracking.
This also required some changes to the cert command plugin to allow a
host to execute calls against its own service certs.
ticket 67
Diffstat (limited to 'ipalib/plugins/cert.py')
-rw-r--r-- | ipalib/plugins/cert.py | 29 |
1 files changed, 27 insertions, 2 deletions
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index 1154e2e30..60161cf1c 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -417,7 +417,16 @@ class cert_show(VirtualCommand): operation="retrieve certificate" def execute(self, serial_number): - self.check_access() + hostname = None + try: + self.check_access() + except errors.ACIError, acierr: + self.debug("Not granted by ACI to retrieve certificate, looking at principal") + bind_principal = getattr(context, 'principal') + if not bind_principal.startswith('host/'): + raise acierr + hostname = get_host_from_principal(bind_principal) + result=self.Backend.ra.get_certificate(serial_number) cert = x509.load_certificate(result['certificate']) result['subject'] = unicode(cert.subject) @@ -426,6 +435,12 @@ class cert_show(VirtualCommand): result['valid_not_after'] = unicode(cert.valid_not_after_str) result['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0]) result['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0]) + if hostname: + # If we have a hostname we want to verify that the subject + # of the certificate matches it, otherwise raise an error + if hostname != cert.subject.common_name: + raise acierr + return dict(result=result) api.register(cert_show) @@ -457,7 +472,17 @@ class cert_revoke(VirtualCommand): ) def execute(self, serial_number, **kw): - self.check_access() + hostname = None + try: + self.check_access() + except errors.ACIError, acierr: + self.debug("Not granted by ACI to revoke certificate, looking at principal") + try: + # Let cert_show() handle verifying that the subject of the + # cert we're dealing with matches the hostname in the principal + result = api.Command['cert_show'](unicode(serial_number))['result'] + except errors.NotImplementedError: + pass return dict( result=self.Backend.ra.revoke_certificate(serial_number, **kw) ) |