summaryrefslogtreecommitdiffstats
path: root/ipapython/certmonger.py
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2011-03-04 17:53:42 -0500
committerRob Crittenden <rcritten@redhat.com>2011-03-08 10:23:07 -0500
commit3735450ab8089c64f196899ab6af2447d1c4a2fc (patch)
treeb1bcd8a96b6752e5e1d3ddafd4710bd9f015dfd7 /ipapython/certmonger.py
parent61d70657ab93bb4ce74013dcfef9b9592460caaf (diff)
downloadfreeipa-3735450ab8089c64f196899ab6af2447d1c4a2fc.tar.gz
freeipa-3735450ab8089c64f196899ab6af2447d1c4a2fc.tar.xz
freeipa-3735450ab8089c64f196899ab6af2447d1c4a2fc.zip
If --hostname is provided for ipa-client-install use it everywhere.
If a hostname was provided it wasn't used to configure either certmonger or sssd. This resulted in a non-working configuration. Additionally on un-enrollment the wrong hostname was unenrolled, it used the value of gethostname() rather than the one that was passed into the installer. We have to modify the CA configuration of certmonger to make it use the right principal when requesting certificates. The filename is unpredicable but it will be in /var/lib/certmonger/cas. We need to hunt for ipa_submit and add -k <principal> to it, then undo that on uninstall. These files are created the first time the certmonger service starts, so start and stop it before messing with them. ticket 1029
Diffstat (limited to 'ipapython/certmonger.py')
-rw-r--r--ipapython/certmonger.py80
1 files changed, 78 insertions, 2 deletions
diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index 15ae1e52f..1ed907686 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -27,6 +27,7 @@ import time
from ipapython import ipautil
REQUEST_DIR='/var/lib/certmonger/requests/'
+CA_DIR='/var/lib/certmonger/cas/'
def find_request_value(filename, directive):
"""
@@ -34,7 +35,7 @@ def find_request_value(filename, directive):
It tries to do this a number of times because sometimes there is a delay
when ipa-getcert returns and the file is fully updated, particularly
- when doing a request. Genrerating a CSR is fast but not instantaneous.
+ when doing a request. Generating a CSR is fast but not instantaneous.
"""
tries = 1
value = None
@@ -126,7 +127,7 @@ def add_request_value(request_id, directive, value):
def add_principal(request_id, principal):
"""
- In order for a certmonger request to be renwable it needs a principal.
+ In order for a certmonger request to be renewable it needs a principal.
When an existing certificate is added via start-tracking it won't have
a principal.
@@ -241,6 +242,81 @@ def stop_tracking(secdir, request_id=None, nickname=None):
return (stdout, stderr, returncode)
+def _find_IPA_ca():
+ """
+ Look through all the certmonger CA files to find the one that
+ has id=IPA
+
+ We can use find_request_value because the ca files have the
+ same file format.
+ """
+ fileList=os.listdir(CA_DIR)
+ for file in fileList:
+ value = find_request_value('%s/%s' % (CA_DIR, file), 'id')
+ if value is not None and value.strip() == 'IPA':
+ return '%s/%s' % (CA_DIR, file)
+
+ return None
+
+def add_principal_to_cas(principal):
+ """
+ If the hostname we were passed to use in ipa-client-install doesn't
+ match the value of gethostname() then we need to append
+ -k host/HOSTNAME@REALM to the ca helper defined for
+ /usr/libexec/certmonger/ipa-submit.
+
+ We also need to restore this on uninstall.
+
+ The certmonger service MUST be stopped in order for this to work.
+ """
+ cafile = _find_IPA_ca()
+ if cafile is None:
+ return
+
+ update = False
+ fp = open(cafile, 'r')
+ lines = fp.readlines()
+ fp.close()
+
+ for i in xrange(len(lines)):
+ if lines[i].startswith('ca_external_helper') and \
+ lines[i].find('-k') == -1:
+ lines[i] = '%s -k %s\n' % (lines[i].strip(), principal)
+ update = True
+
+ if update:
+ fp = open(cafile, 'w')
+ for line in lines:
+ fp.write(line)
+ fp.close()
+
+def remove_principal_from_cas():
+ """
+ Remove any -k principal options from the ipa_submit helper.
+
+ The certmonger service MUST be stopped in order for this to work.
+ """
+ cafile = _find_IPA_ca()
+ if cafile is None:
+ return
+
+ update = False
+ fp = open(cafile, 'r')
+ lines = fp.readlines()
+ fp.close()
+
+ for i in xrange(len(lines)):
+ if lines[i].startswith('ca_external_helper') and \
+ lines[i].find('-k') > 0:
+ lines[i] = lines[i].strip().split(' ')[0] + '\n'
+ update = True
+
+ if update:
+ fp = open(cafile, 'w')
+ for line in lines:
+ fp.write(line)
+ fp.close()
+
if __name__ == '__main__':
request_id = request_cert("/etc/httpd/alias", "Test", "cn=tiger.example.com,O=IPA", "HTTP/tiger.example.com@EXAMPLE.COM")
csr = get_request_value(request_id, 'csr')