diff options
| -rw-r--r-- | freeipa.spec.in | 6 | ||||
| -rw-r--r-- | install/tools/Makefile.am | 1 | ||||
| -rw-r--r-- | install/tools/ipa-cacert-manage | 23 | ||||
| -rw-r--r-- | install/tools/man/Makefile.am | 1 | ||||
| -rw-r--r-- | install/tools/man/ipa-cacert-manage.1 | 62 | ||||
| -rw-r--r-- | ipaserver/install/ipa_cacert_manage.py | 285 |
6 files changed, 376 insertions, 2 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index 50262f7fb..ff2a4aa5c 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -121,7 +121,7 @@ Requires: python-dns Requires: zip Requires: policycoreutils >= %{POLICYCOREUTILSVER} Requires: tar -Requires(pre): certmonger >= 0.65 +Requires(pre): certmonger >= 0.75.6 Requires(pre): 389-ds-base >= 1.3.2.20 Requires: fontawesome-fonts Requires: open-sans-fonts @@ -192,7 +192,7 @@ Requires: wget Requires: libcurl >= 7.21.7-2 Requires: xmlrpc-c >= 1.27.4 Requires: sssd >= 1.11.1 -Requires: certmonger >= 0.65 +Requires: certmonger >= 0.75.6 Requires: nss-tools Requires: bind-utils Requires: oddjob-mkhomedir @@ -585,6 +585,7 @@ fi %{_sbindir}/ipactl %{_sbindir}/ipa-upgradeconfig %{_sbindir}/ipa-advise +%{_sbindir}/ipa-cacert-manage %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit %{_libexecdir}/ipa-otpd %config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached @@ -719,6 +720,7 @@ fi %{_mandir}/man1/ipa-restore.1.gz %{_mandir}/man1/ipa-advise.1.gz %{_mandir}/man1/ipa-otptoken-import.1.gz +%{_mandir}/man1/ipa-cacert-manage.1.gz %files server-trust-ad %{_sbindir}/ipa-adtrust-install diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am index 485be91b7..0b38d2c77 100644 --- a/install/tools/Makefile.am +++ b/install/tools/Makefile.am @@ -25,6 +25,7 @@ sbin_SCRIPTS = \ ipa-backup \ ipa-restore \ ipa-advise \ + ipa-cacert-manage \ $(NULL) EXTRA_DIST = \ diff --git a/install/tools/ipa-cacert-manage b/install/tools/ipa-cacert-manage new file mode 100644 index 000000000..5e969b7b8 --- /dev/null +++ b/install/tools/ipa-cacert-manage @@ -0,0 +1,23 @@ +#! /usr/bin/python2 -E +# Authors: Jan Cholasta <jcholast@redhat.com> +# +# Copyright (C) 2014 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +from ipaserver.install.ipa_cacert_manage import CACertManage + +CACertManage.run_cli() diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am index b3f39b942..f9f75f183 100644 --- a/install/tools/man/Makefile.am +++ b/install/tools/man/Makefile.am @@ -23,6 +23,7 @@ man1_MANS = \ ipa-restore.1 \ ipa-advise.1 \ ipa-otptoken-import.1 \ + ipa-cacert-manage.1 \ $(NULL) man8_MANS = \ diff --git a/install/tools/man/ipa-cacert-manage.1 b/install/tools/man/ipa-cacert-manage.1 new file mode 100644 index 000000000..92fe717b7 --- /dev/null +++ b/install/tools/man/ipa-cacert-manage.1 @@ -0,0 +1,62 @@ +.\" A man page for ipa-cacert-manage +.\" Copyright (C) 2014 Red Hat, Inc. +.\" +.\" This program is free software; you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation, either version 3 of the License, or +.\" (at your option) any later version. +.\" +.\" This program is distributed in the hope that it will be useful, but +.\" WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +.\" General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program. If not, see <http://www.gnu.org/licenses/>. +.\" +.\" Author: Jan Cholasta <jcholast@redhat.com> +.\" +.TH "ipa-cacert-manage" "1" "Aug 12 2013" "FreeIPA" "FreeIPA Manual Pages" +.SH "NAME" +ipa\-cacert\-manage \- Manage CA certificates in IPA +.SH "SYNOPSIS" +\fBipa\-cacert\-manage\fR [\fIOPTIONS\fR...] \fICOMMAND\fR +.SH "DESCRIPTION" +\fBipa\-cacert\-manage\fR can be used to manage CA certificates in IPA. +.SH "COMMANDS" +.TP +\fBrenew\fR +\- Renew the IPA CA certificate +.sp +.RS +This command can be used to manually renew CA certificate of the IPA CA. +.sp +When the IPA CA is the root CA (the default), it is not usually necessary to manually renew the CA certificate, as it will be renewed automatically when it is about to expire, but you can do so if you wish. +.sp +When the IPA CA is subordinate of an external CA, the renewal process involves submitting a CSR to the external CA and installing the newly issued certificate in IPA, which cannot be done automatically. It is necessary to manually renew the CA certificate in this setup. +.sp +When the IPA CA is not configured, this command is not available. +.RE +.SH "OPTIONS" +.TP +\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR +The Directory Manager password to use for authentication. +.TP +\fB\-\-external\-cert\-file\fR=\fIFILE\fR +PEM file containing a certificate signed by the external CA. Must be given with \-\-external\-ca\-file. +.TP +\fB\-\-external\-ca\-file\fR=\fIFILE\fR +PEM file containing the external CA chain. +.TP +\fB\-v\fR, \fB\-\-verbose\fR +Print debugging information. +.TP +\fB\-q\fR, \fB\-\-quiet\fR +Output only errors. +.TP +\fB\-\-log\-file\fR=\fIFILE\fR +Log to the given file. +.SH "EXIT STATUS" +0 if the command was successful + +1 if an error occurred diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py new file mode 100644 index 000000000..8f09c858c --- /dev/null +++ b/ipaserver/install/ipa_cacert_manage.py @@ -0,0 +1,285 @@ +# Authors: Jan Cholasta <jcholast@redhat.com> +# +# Copyright (C) 2014 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +import os +import time +from optparse import OptionGroup +import base64 +from nss import nss +from nss.error import NSPRError +import krbV + +from ipapython import admintool, certmonger, ipautil +from ipapython.dn import DN +from ipaplatform.paths import paths +from ipalib import api, errors, x509, util +from ipaserver.install import certs, cainstance, installutils +from ipaserver.plugins.ldap2 import ldap2 + + +class CACertManage(admintool.AdminTool): + command_name = 'ipa-cacert-manage' + + usage = "%prog renew [options]" + + description = "Manage CA certificates." + + cert_nickname = 'caSigningCert cert-pki-ca' + + @classmethod + def add_options(cls, parser): + super(CACertManage, cls).add_options(parser) + + parser.add_option( + "-p", "--password", dest='password', + help="Directory Manager password") + + renew_group = OptionGroup(parser, "Renew options") + renew_group.add_option( + "--external-cert-file", dest='external_cert_file', + help="PEM file containing a certificate signed by the external CA") + renew_group.add_option( + "--external-ca-file", dest='external_ca_file', + help="PEM file containing the external CA chain") + parser.add_option_group(renew_group) + + def validate_options(self): + super(CACertManage, self).validate_options(needs_root=True) + + installutils.check_server_configuration() + + parser = self.option_parser + + if not self.args: + parser.error("command not provided") + + command = self.command = self.args[0] + options = self.options + + if command == 'renew': + if options.external_cert_file and not options.external_ca_file: + parser.error("--external-ca-file not specified") + elif not options.external_cert_file and options.external_ca_file: + parser.error("--external-cert-file not specified") + else: + parser.error("unknown command \"%s\"" % command) + + def run(self): + command = self.command + options = self.options + + api.bootstrap(in_server=True) + api.finalize() + + if command == 'renew' and options.external_cert_file: + self.conn = self.ldap_connect() + else: + self.conn = None + + try: + if command == 'renew': + rc = self.renew() + finally: + if self.conn is not None: + self.conn.disconnect() + + return rc + + def ldap_connect(self): + conn = ldap2() + + password = self.options.password + if not password: + try: + ccache = krbV.default_context().default_ccache() + conn.connect(ccache=ccache) + except (krbV.Krb5Error, errors.ACIError): + pass + else: + return conn + + password = installutils.read_password( + "Directory Manager", confirm=False, validate=False) + if password is None: + raise admintool.ScriptError( + "Directory Manager password required") + + conn.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=password) + + return conn + + def renew(self): + ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) + if not ca.is_configured(): + raise admintool.ScriptError("CA is not configured on this system") + + nss_dir = ca.dogtag_constants.ALIAS_DIR + criteria = (('cert_storage_location', nss_dir, certmonger.NPATH), + ('cert_nickname', self.cert_nickname, None)) + self.request_id = certmonger.get_request_id(criteria) + if self.request_id is None: + raise admintool.ScriptError( + "CA certificate is not tracked by certmonger") + self.log.debug( + "Found certmonger request id %r", self.request_id) + + db = certs.CertDB(api.env.realm, nssdir=nss_dir) + cert = db.get_cert_from_db(self.cert_nickname, pem=False) + + options = self.options + if options.external_cert_file: + return self.renew_external_step_2(ca, cert) + + if x509.is_self_signed(cert, x509.DER): + return self.renew_self_signed(ca) + else: + return self.renew_external_step_1(ca) + + def renew_self_signed(self, ca): + print "Renewing CA certificate, please wait" + + try: + ca.set_renewal_master() + except errors.NotFound: + raise admintool.ScriptError("CA renewal master not found") + + self.resubmit_request(ca, 'caCACert') + + print "CA certificate successfully renewed" + + def renew_external_step_1(self, ca): + print "Exporting CA certificate signing request, please wait" + + self.resubmit_request(ca, 'ipaCSRExport') + + print("The next step is to get %s signed by your CA and re-run " + "ipa-cacert-manage as:" % paths.IPA_CA_CSR) + print("ipa-cacert-manage renew " + "--external-cert-file=/path/to/signed_certificate " + "--external-ca-file=/path/to/external_ca_certificate") + + def renew_external_step_2(self, ca, old_cert): + print "Importing the renewed CA certificate, please wait" + + options = self.options + cert_filename = options.external_cert_file + ca_filename = options.external_ca_file + + nss_cert = None + nss.nss_init(ca.dogtag_constants.ALIAS_DIR) + try: + try: + installutils.validate_external_cert( + cert_filename, ca_filename, x509.subject_base()) + except ValueError, e: + raise admintool.ScriptError(e) + + nss_cert = x509.load_certificate(old_cert, x509.DER) + subject = nss_cert.subject + issuer = nss_cert.issuer + #pylint: disable=E1101 + pkinfo = nss_cert.subject_public_key_info.format() + #pylint: enable=E1101 + + nss_cert = x509.load_certificate_from_file(cert_filename) + if not nss_cert.is_ca_cert(): + raise admintool.ScriptError("Not a CA certificate") + if nss_cert.subject != subject: + raise admintool.ScriptError("Subject name mismatch") + if nss_cert.issuer != issuer: + raise admintool.ScriptError("Issuer mismatch") + #pylint: disable=E1101 + if nss_cert.subject_public_key_info.format() != pkinfo: + raise admintool.ScriptError("Subject public key info mismatch") + #pylint: enable=E1101 + cert = nss_cert.der_data + finally: + del nss_cert + nss.nss_shutdown() + + with certs.NSSDatabase() as tmpdb: + pw = ipautil.write_tmp_file(ipautil.ipa_generate_password()) + tmpdb.create_db(pw.name) + tmpdb.add_single_pem_cert( + 'IPA CA', 'C,,', x509.make_pem(base64.b64encode(old_cert))) + + try: + tmpdb.add_single_pem_cert( + 'IPA CA', 'C,,', x509.make_pem(base64.b64encode(cert))) + except ipautil.CalledProcessError, e: + raise admintool.ScriptError( + "Not compatible with the current CA certificate: %s", e) + + ca_certs = x509.load_certificate_chain_from_file(ca_filename) + for ca_cert in ca_certs: + tmpdb.add_single_pem_cert( + str(ca_cert.subject), 'C,,', + x509.make_pem(base64.b64encode(ca_cert.der_data))) + del ca_certs + del ca_cert + + try: + tmpdb.verify_ca_cert_validity('IPA CA') + except ValueError, e: + raise admintool.ScriptError( + "Not a valid CA certificate: %s" % e) + + dn = DN(('cn', self.cert_nickname), ('cn', 'ca_renewal'), + ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) + try: + entry = self.conn.get_entry(dn, ['usercertificate']) + entry['usercertificate'] = [cert] + self.conn.update_entry(entry) + except errors.NotFound: + entry = self.conn.make_entry( + dn, + objectclass=['top', 'pkiuser', 'nscontainer'], + cn=[self.cert_nickname], + usercertificate=[cert]) + self.conn.add_entry(entry) + except errors.EmptyModlist: + pass + + try: + ca.set_renewal_master() + except errors.NotFound: + raise admintool.ScriptError("CA renewal master not found") + + self.resubmit_request(ca, 'ipaRetrieval') + + print "CA certificate successfully renewed" + + def resubmit_request(self, ca, profile): + timeout = api.env.startup_timeout + 60 + + self.log.debug("resubmitting certmonger request '%s'", self.request_id) + certmonger.resubmit_request(self.request_id, profile=profile) + try: + state = certmonger.wait_for_request(self.request_id, timeout) + except RuntimeError: + raise admintool.ScriptError( + "Resubmitting certmonger request '%s' timed out, " + "please check the request manually" % self.request_id) + if state != 'MONITORING': + raise admintool.ScriptError( + "Error resubmitting certmonger request '%s', " + "please check the request manually" % self.request_id) + + self.log.debug("modifying certmonger request '%s'", self.request_id) + certmonger.modify(self.request_id, profile='ipaCACertRenewal') |