Configure certmonger to execute restart scripts on renewal.

certmonger now has the ability to execute a script when it renews a certificate. This can be used to automatically restart servers so the certificate doesn't expire in the running server. https://fedorahosted.org/freeipa/ticket/2050
author: Rob Crittenden <rcritten@redhat.com> 2012-04-10 21:21:08 +0200
committer: Rob Crittenden <rcritten@redhat.com> 2012-04-10 01:08:41 -0400
commit: 717bbcd2bf624ad68ea1cdf08216ab4f06e8bc4d (patch)
tree: c322f49a4d11e13bd69ee1f7db69b377f62c93c4 /ipaserver
parent: e9b79cc1e111bbdc91675f8a2f48a92baa4266c9 (diff)
download: freeipa-717bbcd2bf624ad68ea1cdf08216ab4f06e8bc4d.tar.gz
freeipa-717bbcd2bf624ad68ea1cdf08216ab4f06e8bc4d.tar.xz
freeipa-717bbcd2bf624ad68ea1cdf08216ab4f06e8bc4d.zip
3 files changed, 17 insertions, 7 deletions
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 13770811e..d25a471ea 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -18,6 +18,7 @@
 #
 
 import os, stat, subprocess, re
+import sys
 import errno
 import tempfile
 import shutil
@@ -492,16 +493,25 @@ class CertDB(object):
 
         raise RuntimeError("Unable to find serial number")
 
-    def track_server_cert(self, nickname, principal, password_file=None):
+    def track_server_cert(self, nickname, principal, password_file=None, command=None):
         """
         Tell certmonger to track the given certificate nickname.
+
+        If command is not a full path then it is prefixed with
+        /usr/lib[64]/ipa/certmonger.
         """
+        if command is not None and not os.path.isabs(command):
+            if sys.maxsize > 2**32:
+                libpath = 'lib64'
+            else:
+                libpath = 'lib'
+            command = '/usr/%s/ipa/certmonger/%s' % (libpath, command)
         cmonger = ipaservices.knownservices.certmonger
         cmonger.enable()
         ipaservices.knownservices.messagebus.start()
         cmonger.start()
         try:
-            (stdout, stderr, rc) = certmonger.start_tracking(nickname, self.secdir, password_file)
+            (stdout, stderr, rc) = certmonger.start_tracking(nickname, self.secdir, password_file, command)
         except (ipautil.CalledProcessError, RuntimeError), e:
             root_logger.error("certmonger failed starting to track certificate: %s" % str(e))
             return
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 63672067a..9af5e5843 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -516,21 +516,21 @@ class DsInstance(service.Service):
             # We only handle one server cert
             nickname = server_certs[0][0]
             self.dercert = dsdb.get_cert_from_db(nickname, pem=False)
-            dsdb.track_server_cert(nickname, self.principal, dsdb.passwd_fname)
+            dsdb.track_server_cert(nickname, self.principal, dsdb.passwd_fname, 'restart_dirsrv %s' % self.serverid )
         else:
             nickname = "Server-Cert"
             cadb = certs.CertDB(self.realm_name, host_name=self.fqdn, subject_base=self.subject_base)
             if self.self_signed_ca:
                 dsdb.create_from_cacert(cadb.cacert_fname, passwd=None)
                 self.dercert = dsdb.create_server_cert("Server-Cert", self.fqdn, cadb)
-                dsdb.track_server_cert("Server-Cert", self.principal, dsdb.passwd_fname)
+                dsdb.track_server_cert("Server-Cert", self.principal, dsdb.passwd_fname, 'restart_dirsrv %s' % self.serverid)
                 dsdb.create_pin_file()
             else:
                 # FIXME, need to set this nickname in the RA plugin
                 cadb.export_ca_cert('ipaCert', False)
                 dsdb.create_from_cacert(cadb.cacert_fname, passwd=None)
                 self.dercert = dsdb.create_server_cert("Server-Cert", self.fqdn, cadb)
-                dsdb.track_server_cert("Server-Cert", self.principal, dsdb.passwd_fname)
+                dsdb.track_server_cert("Server-Cert", self.principal, dsdb.passwd_fname, 'restart_dirsrv %s' % self.serverid)
                 dsdb.create_pin_file()
 
         conn = ipaldap.IPAdmin("127.0.0.1")
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 0a09c26f2..e1bbc30a1 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -210,7 +210,7 @@ class HTTPInstance(service.Service):
             # We only handle one server cert
             nickname = server_certs[0][0]
             self.dercert = db.get_cert_from_db(nickname, pem=False)
-            db.track_server_cert(nickname, self.principal, db.passwd_fname)
+            db.track_server_cert(nickname, self.principal, db.passwd_fname, 'restart_httpd')
 
             self.__set_mod_nss_nickname(nickname)
         else:
@@ -219,7 +219,7 @@ class HTTPInstance(service.Service):
 
             db.create_password_conf()
             self.dercert = db.create_server_cert("Server-Cert", self.fqdn, ca_db)
-            db.track_server_cert("Server-Cert", self.principal, db.passwd_fname)
+            db.track_server_cert("Server-Cert", self.principal, db.passwd_fname, 'restart_httpd')
             db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)
 
         # Fix the database permissions
author	Rob Crittenden <rcritten@redhat.com>	2012-04-10 21:21:08 +0200
committer	Rob Crittenden <rcritten@redhat.com>	2012-04-10 01:08:41 -0400
commit	717bbcd2bf624ad68ea1cdf08216ab4f06e8bc4d (patch)
tree	c322f49a4d11e13bd69ee1f7db69b377f62c93c4 /ipaserver
parent	e9b79cc1e111bbdc91675f8a2f48a92baa4266c9 (diff)
download	freeipa-717bbcd2bf624ad68ea1cdf08216ab4f06e8bc4d.tar.gz freeipa-717bbcd2bf624ad68ea1cdf08216ab4f06e8bc4d.tar.xz freeipa-717bbcd2bf624ad68ea1cdf08216ab4f06e8bc4d.zip