diff options
-rw-r--r-- | install/restart_scripts/renew_ca_cert | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index a4959bed9..9e63ef8da 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -28,10 +28,12 @@ import shutil import traceback from ipapython import dogtag, certmonger, ipautil +from ipapython.dn import DN from ipalib import api, errors, x509, util from ipaserver.install import certs, cainstance, installutils from ipaserver.plugins.ldap2 import ldap2 from ipaplatform import services +from ipaplatform.paths import paths def main(): nickname = sys.argv[1] @@ -88,6 +90,32 @@ def main(): syslog.LOG_ERR, "Updating trust on certificate %s failed in %s" % (nickname, db.secdir)) + elif nickname == 'caSigningCert cert-pki-ca' and ca.is_renewal_master(): + # Update CA certificate in LDAP + tmpdir = tempfile.mkdtemp(prefix="tmp-") + try: + principal = str('host/%s@%s' % (api.env.host, api.env.realm)) + ccache = ipautil.kinit_hostprincipal(paths.KRB5_KEYTAB, tmpdir, + principal) + + conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri) + conn.connect(ccache=ccache) + + dn = DN(('cn', 'CAcert'), ('cn', 'ipa'), ('cn', 'etc'), + api.env.basedn) + try: + entry = conn.get_entry(dn, attrs_list=['cACertificate;binary']) + entry['cACertificate;binary'] = [cert] + conn.update_entry(entry) + except errors.EmptyModlist: + pass + + conn.disconnect() + except Exception, e: + syslog.syslog( + syslog.LOG_ERR, "Updating CA certificate failed: %s" % e) + finally: + shutil.rmtree(tmpdir) # Now we can start the CA. Using the services start should fire # off the servlet to verify that the CA is actually up and responding so |