Use certmonger to renew CA subsystem certificates

Certificate renewal can be done only one one CA as the certificates need
to be shared amongst them. certmonger has been trained to communicate
directly with dogtag to perform the renewals. The initial CA installation
is the defacto certificate renewal master.

A copy of the certificate is stored in the IPA LDAP tree in
cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the
certificate, when a certificate is renewed. Only the most current
certificate is stored. It is valid to have no certificates there, it means
that no renewals have taken place.

The clones are configured with a new certmonger CA type that polls this
location in the IPA tree looking for an updated certificate. If one is
not found then certmonger is put into the CA_WORKING state and will poll
every 8 hours until an updated certificate is available.

The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case.
When this certificate is updated we also need to update its entry in
the dogtag tree, adding the updated certificate and telling dogtag which
certificate to use. This is the certificate that lets IPA issue
certificates.

On upgrades we check to see if the certificate tracking is already in
place. If not then we need to determine if this is the master that will
do the renewals or not. This decision is made based on whether it was
the first master installed. It is concievable that this master is no
longer available meaning that none are actually tracking renewal. We
will need to document this.

https://fedorahosted.org/freeipa/ticket/2803

1 files changed, 145 insertions, 2 deletions

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 62c1dc4d0..2644689a0 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -37,6 +37,7 @@ import stat
 import socket
 from ipapython import dogtag
 from ipapython.certdb import get_ca_nickname
+from ipapython import certmonger
 from ipalib import pkcs10, x509
 from ipalib.dn import DN
 import subprocess
@@ -324,7 +325,7 @@ class CADSInstance(service.Service):
             # We only handle one server cert
             self.nickname = server_certs[0][0]
             self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False)
-            dsdb.track_server_cert(self.nickname, self.principal, dsdb.passwd_fname)
+            dsdb.track_server_cert(self.nickname, self.principal, dsdb.passwd_fname, 'restart_dirsrv %s' % self.serverid)
 
     def create_certdb(self):
         """
@@ -337,7 +338,7 @@ class CADSInstance(service.Service):
         cadb.export_ca_cert('ipaCert', False)
         dsdb.create_from_cacert(cadb.cacert_fname, passwd=None)
         self.dercert = dsdb.create_server_cert("Server-Cert", self.fqdn, cadb)
-        dsdb.track_server_cert("Server-Cert", self.principal, dsdb.passwd_fname)
+        dsdb.track_server_cert("Server-Cert", self.principal, dsdb.passwd_fname, 'restart_dirsrv %s' % self.serverid)
         dsdb.create_pin_file()
 
     def enable_ssl(self):
@@ -404,6 +405,24 @@ class CADSInstance(service.Service):
         # At one time we removed this user on uninstall. That can potentially
         # orphan files, or worse, if another useradd runs in the intermim,
         # cause files to have a new owner.
+        cmonger = ipaservices.knownservices.certmonger
+        ipaservices.knownservices.messagebus.start()
+        cmonger.start()
+
+        for nickname in ['Server-Cert cert-pki-ca',
+                         'auditSigningCert cert-pki-ca',
+                         'ocspSigningCert cert-pki-ca',
+                         'subsystemCert cert-pki-ca']:
+            try:
+                certmonger.stop_tracking('/var/lib/pki-ca/alias', nickname=nickname)
+            except (ipautil.CalledProcessError, RuntimeError), e:
+                root_logger.error("certmonger failed to stop tracking certificate: %s" % str(e))
+
+        try:
+            certmonger.stop_tracking('/etc/httpd/alias', nickname='ipaCert')
+        except (ipautil.CalledProcessError, RuntimeError), e:
+            root_logger.error("certmonger failed to stop tracking certificate: %s" % str(e))
+        cmonger.stop()
 
 class CAInstance(service.Service):
     """
@@ -526,6 +545,11 @@ class CAInstance(service.Service):
                 self.step("requesting RA certificate from CA", self.__request_ra_certificate)
                 self.step("issuing RA agent certificate", self.__issue_ra_cert)
                 self.step("adding RA agent as a trusted user", self.__configure_ra)
+                self.step("configure certificate renewals", self.configure_renewal)
+            else:
+                self.step("configure certmonger for renewals", self.configure_certmonger_renewal)
+                self.step("configure clone certificate renewals", self.configure_clone_renewal)
+            self.step("configure Server-Cert certificate renewal", self.track_servercert)
             self.step("Configure HTTP to proxy connections", self.__http_proxy)
 
         self.start_creation("Configuring certificate server", 210)
@@ -797,6 +821,18 @@ class CAInstance(service.Service):
         finally:
             os.remove(agent_name)
 
+        self.configure_agent_renewal()
+
+    def configure_agent_renewal(self):
+        """
+        Set up the agent cert for renewal. No need to make any changes to
+        the dogtag LDAP here since the originator will do that so we
+        only call restart_httpd after retrieving the cert.
+
+        On upgrades this needs to be called from ipa-upgradeconfig.
+        """
+        certmonger.dogtag_start_tracking('dogtag-ipa-retrieve-agent-submit', 'ipaCert', None, '/etc/httpd/alias/pwdfile.txt', '/etc/httpd/alias', 'restart_httpd')
+
     def __configure_ra(self):
         # Create an RA user in the CA LDAP server and add that user to
         # the appropriate groups so it can issue certificates without
@@ -1058,6 +1094,8 @@ class CAInstance(service.Service):
         # cause files to have a new owner.
         user_exists = self.restore_state("user_exists")
 
+        installutils.remove_file("/var/lib/certmonger/cas/ca_renewal")
+
     def publish_ca_cert(self, location):
         args = ["-L", "-n", self.canickname, "-a"]
         (cert, err, returncode) = self.__run_certutil(args)
@@ -1070,6 +1108,77 @@ class CAInstance(service.Service):
         shutil.copy(ipautil.SHARE_DIR + "ipa-pki-proxy.conf",
                     HTTPD_CONFD + "ipa-pki-proxy.conf")
 
+    def track_servercert(self):
+        try:
+            pin = certmonger.get_pin('internal')
+        except IOError, e:
+            raise RuntimeError('Unable to determine PIN for CA instance: %s' % str(e))
+        certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'Server-Cert cert-pki-ca', pin, None, '/var/lib/pki-ca/alias', 'restart_pkicad "Server-Cert cert-pki-ca"')
+
+    def configure_renewal(self):
+        cmonger = ipaservices.knownservices.certmonger
+        cmonger.enable()
+        ipaservices.knownservices.messagebus.start()
+        cmonger.start()
+
+        try:
+            pin = certmonger.get_pin('internal')
+        except IOError, e:
+            raise RuntimeError('Unable to determine PIN for CA instance: %s' % str(e))
+
+        # Server-Cert cert-pki-ca is renewed per-server
+        for nickname in ['auditSigningCert cert-pki-ca',
+                         'ocspSigningCert cert-pki-ca',
+                         'subsystemCert cert-pki-ca']:
+            certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', nickname, pin, None, '/var/lib/pki-ca/alias', 'renew_ca_cert "%s"' % nickname)
+
+        # Set up the agent cert for renewal
+        certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'ipaCert', None, '/etc/httpd/alias/pwdfile.txt', '/etc/httpd/alias', 'renew_ra_cert')
+
+    def configure_certmonger_renewal(self):
+        """
+        Create a new CA type for certmonger that will retrieve updated
+        certificates from the dogtag master server.
+        """
+        target_fname = '/var/lib/certmonger/cas/ca_renewal'
+        if ipautil.file_exists(target_fname):
+            # This CA can be configured either during initial CA installation
+            # if the replica is created with --setup-ca or when Apache is
+            # being configured if not.
+            return
+        txt = ipautil.template_file(ipautil.SHARE_DIR + "ca_renewal", dict())
+        fd = open(target_fname, "w")
+        fd.write(txt)
+        fd.close()
+        os.chmod(target_fname, 0600)
+        ipaservices.restore_context(target_fname)
+
+        cmonger = ipaservices.knownservices.certmonger
+        cmonger.enable()
+        ipaservices.knownservices.messagebus.start()
+        cmonger.restart()
+
+    def configure_clone_renewal(self):
+        """
+        The actual renewal is done on the master. On the clone side we
+        use a separate certmonger CA that polls LDAP to see if an updated
+        certificate is available. If it is then it gets installed.
+        """
+
+        try:
+            pin = certmonger.get_pin('internal')
+        except IOError, e:
+            raise RuntimeError('Unable to determine PIN for CA instance: %s' % str(e))
+
+        # Server-Cert cert-pki-ca is renewed per-server
+        for nickname in ['auditSigningCert cert-pki-ca',
+                         'ocspSigningCert cert-pki-ca',
+                         'subsystemCert cert-pki-ca']:
+            certmonger.dogtag_start_tracking('dogtag-ipa-retrieve-agent-submit', nickname, pin, None, '/var/lib/pki-ca/alias', 'restart_pkicad "%s"' % nickname)
+
+        # The agent renewal is configured in import_ra_cert which is called
+        # after the HTTP instance is created.
+
     def enable_subject_key_identifier(self):
         """
         See if Subject Key Identifier is set in the profile and if not, add it.
@@ -1109,6 +1218,21 @@ class CAInstance(service.Service):
         # No update was done
         return False
 
+    def is_master(self):
+        """
+        There are some tasks that are only done on a single dogtag master.
+        By default this is the first one installed. Use this to determine if
+        that is the case.
+
+        If users have changed their topology so the initial master is either
+        gone or no longer performing certain duties then it is their
+        responsibility to handle changes on upgrades.
+        """
+        master = installutils.get_directive(
+            '/var/lib/pki-ca/conf/CS.cfg', 'subsystem.select', '=')
+
+        return master == 'New'
+
 def install_replica_ca(config, postinstall=False):
     """
     Install a CA on a replica.
@@ -1179,6 +1303,25 @@ def install_replica_ca(config, postinstall=False):
 
     return (ca, cs)
 
+def update_cert_config(nickname, cert):
+    """
+    When renewing a CA subsystem certificate the configuration file
+    needs to get the new certificate as well.
+
+    nickname is one of the known nicknames.
+    cert is a DER-encoded certificate.
+    """
+    # The cert directive to update per nickname
+    directives = {'auditSigningCert cert-pki-ca': 'ca.audit_signing.cert',
+                  'ocspSigningCert cert-pki-ca': 'ca.ocsp_signing.cert',
+                  'caSigningCert cert-pki-ca': 'ca.signing.cert',
+                  'Server-Cert cert-pki-ca': 'ca.sslserver.cert' }
+
+    installutils.set_directive('/var/lib/%s/conf/CS.cfg' % PKI_INSTANCE_NAME,
+                                directives[nickname],
+                                base64.b64encode(cert),
+                                quotes=False, separator='=')
+
 if __name__ == "__main__":
     standard_logging_setup("install.log")
     cs = CADSInstance()