Use new certmonger locking to prevent NSS database corruption.

dogtag opens its NSS database in read/write mode so we need to be very
careful during renewal that we don't also open it up read/write. We
basically need to serialize access to the database. certmonger does the
majority of this work via internal locking from the point where it generates
a new key/submits a rewewal through the pre_save and releases the lock after
the post_save command. This lock is held per NSS database so we're save
from certmonger. dogtag needs to be shutdown in the pre_save state so
certmonger can safely add the certificate and we can manipulate trust
in the post_save command.

Fix a number of bugs in renewal. The CA wasn't actually being restarted
at all due to a naming change upstream. In python we need to reference
services using python-ish names but the service is pki-cad. We need a
translation for non-Fedora systems as well.

Update the CA ou=People entry when he CA subsystem certificate is
renewed. This certificate is used as an identity certificate to bind
to the DS instance.

https://fedorahosted.org/freeipa/ticket/3292
https://fedorahosted.org/freeipa/ticket/3322

1 files changed, 27 insertions, 11 deletions

diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index f29050ea9..d347c2aeb 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -261,7 +261,7 @@ def stop_tracking(secdir, request_id=None, nickname=None):
             # Fall back to trying to stop tracking using nickname
             pass
 
-    args = ['/usr/bin/ipa-getcert',
+    args = ['/usr/bin/getcert',
             'stop-tracking',
     ]
     if request_id:
@@ -368,7 +368,8 @@ def get_pin(token, dogtag_constants=None):
                 return pin.strip()
     return None
 
-def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, command):
+def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, pre_command,
+                          post_command):
     """
     Tell certmonger to start tracking a dogtag CA certificate. These
     are handled differently because their renewal must be done directly
@@ -377,7 +378,10 @@ def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, command):
     This uses the generic certmonger command getcert so we can specify
     a different helper.
 
-    command is the script to execute.
+    pre_command is the script to execute before a renewal is done.
+    post_command is the script to execute after a renewal is done.
+
+    Both commands can be None.
 
     Returns the stdout, stderr and returncode from running ipa-getcert
 
@@ -386,20 +390,32 @@ def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, command):
     if not cert_exists(nickname, os.path.abspath(secdir)):
         raise RuntimeError('Nickname "%s" doesn\'t exist in NSS database "%s"' % (nickname, secdir))
 
-    if command is not None and not os.path.isabs(command):
-        if sys.maxsize > 2**32:
-            libpath = 'lib64'
-        else:
-            libpath = 'lib'
-        command = '/usr/%s/ipa/certmonger/%s' % (libpath, command)
-
     args = ["/usr/bin/getcert", "start-tracking",
             "-d", os.path.abspath(secdir),
             "-n", nickname,
             "-c", ca,
-            "-C", command,
            ]
 
+    if pre_command is not None:
+        if not os.path.isabs(pre_command):
+            if sys.maxsize > 2**32:
+                libpath = 'lib64'
+            else:
+                libpath = 'lib'
+            pre_command = '/usr/%s/ipa/certmonger/%s' % (libpath, pre_command)
+        args.append("-B")
+        args.append(pre_command)
+
+    if post_command is not None:
+        if not os.path.isabs(post_command):
+            if sys.maxsize > 2**32:
+                libpath = 'lib64'
+            else:
+                libpath = 'lib'
+            post_command = '/usr/%s/ipa/certmonger/%s' % (libpath, post_command)
+        args.append("-C")
+        args.append(post_command)
+
     if pinfile:
         args.append("-p")
         args.append(pinfile)