diff options
Diffstat (limited to 'install/restart_scripts')
-rw-r--r-- | install/restart_scripts/Makefile.am | 3 | ||||
-rw-r--r-- | install/restart_scripts/renew_ca_cert | 93 | ||||
-rw-r--r-- | install/restart_scripts/renew_ra_cert | 96 | ||||
-rw-r--r-- | install/restart_scripts/restart_dirsrv | 25 | ||||
-rw-r--r-- | install/restart_scripts/restart_httpd | 25 | ||||
-rw-r--r-- | install/restart_scripts/restart_pkicad | 50 |
6 files changed, 290 insertions, 2 deletions
diff --git a/install/restart_scripts/Makefile.am b/install/restart_scripts/Makefile.am index abc066b30..210c4863e 100644 --- a/install/restart_scripts/Makefile.am +++ b/install/restart_scripts/Makefile.am @@ -4,6 +4,9 @@ appdir = $(libdir)/ipa/certmonger app_DATA = \ restart_dirsrv \ restart_httpd \ + restart_pkicad \ + renew_ca_cert \ + renew_ra_cert \ $(NULL) EXTRA_DIST = \ diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert new file mode 100644 index 000000000..d3b756042 --- /dev/null +++ b/install/restart_scripts/renew_ca_cert @@ -0,0 +1,93 @@ +#!/usr/bin/python -E +# +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# +# Copyright (C) 2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os +import sys +import shutil +import tempfile +import krbV +import syslog +from ipalib import api +from ipalib.dn import DN +from ipalib import errors +from ipapython import services as ipaservices +from ipapython import ipautil +from ipaserver.install import certs +from ipaserver.plugins.ldap2 import ldap2 +from ipaserver.install.cainstance import update_cert_config + +nickname = sys.argv[1] + +api.bootstrap(context='restart') +api.finalize() + +# Fetch the new certificate +db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias') +cert = db.get_cert_from_db(nickname, pem=False) + +if not cert: + syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname) + sys.exit(1) + +# Update or add it +tmpdir = tempfile.mkdtemp(prefix = "tmp-") +try: + dn = str(DN(('cn',nickname),('cn=ca_renewal,cn=ipa,cn=etc'),(api.env.basedn))) + principal = str('host/%s@%s' % (api.env.host, api.env.realm)) + ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal) + conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri) + conn.connect(ccache=ccache) + try: + (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate']) + entry_attrs['usercertificate'] = cert + conn.update_entry(dn, entry_attrs, normalize=False) + except errors.NotFound: + entry_attrs = dict(objectclass=['top', 'pkiuser', 'nscontainer'], + usercertificate=cert) + conn.add_entry(dn, entry_attrs, normalize=False) + except errors.EmptyModlist: + pass + conn.disconnect() +except Exception, e: + syslog.syslog(syslog.LOG_ERR, 'Updating renewal certificate failed: %s' % e) +finally: + shutil.rmtree(tmpdir) + +# Fix permissions on the audit cert if we're updating it +if nickname == 'auditSigningCert cert-pki-ca': + db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias') + args = ['-M', + '-n', nickname, + '-t', 'u,u,Pu', + ] + try: + db.run_certutil(args) + except ipautil.CalledProcessError: + syslog.syslog(syslog.LOG_ERR, 'Updating trust on certificate %s failed in %s' % (nickname, db.secdir)) + +update_cert_config(nickname, cert) + +syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted pki-cad instance pki-ca') + +try: + ipaservices.knownservices.pki_cad.restart('pki-ca') +except Exception, e: + syslog.syslog(syslog.LOG_ERR, "Cannot restart pki-cad: %s" % str(e)) diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert new file mode 100644 index 000000000..2fcf1a79b --- /dev/null +++ b/install/restart_scripts/renew_ra_cert @@ -0,0 +1,96 @@ +#!/usr/bin/python -E +# +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# +# Copyright (C) 2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import sys +import shutil +import tempfile +import syslog +from ipapython import services as ipaservices +from ipapython.certmonger import get_pin +from ipapython import ipautil +from ipaserver.install import certs +from ipaserver.install.cainstance import DEFAULT_DSPORT +from ipalib import api +from ipalib.dn import DN +from ipalib import x509 +from ipalib import errors +from ipaserver.plugins.ldap2 import ldap2 + +api.bootstrap(context='restart') +api.finalize() + +# Fetch the new certificate +db = certs.CertDB(api.env.realm) +cert = db.get_cert_from_db('ipaCert', pem=False) +serial_number = x509.get_serial_number(cert, datatype=x509.DER) +subject = x509.get_subject(cert, datatype=x509.DER) +issuer = x509.get_issuer(cert, datatype=x509.DER) + +# Load it into dogtag +dn = str(DN(('uid','ipara'),('ou','People'),('o','ipaca'))) + +try: + dm_password = get_pin('internaldb') +except IOError, e: + syslog.syslog(syslog.LOG_ERR, 'Unable to determine PIN for CA instance: %s' % e) + sys.exit(1) + +try: + conn = ldap2(shared_instance=False, ldap_uri='ldap://localhost:%d' % DEFAULT_DSPORT) + conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password) + (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'], normalize=False) + entry_attrs['usercertificate'].append(cert) + entry_attrs['description'] = '2;%d;%s;%s' % (serial_number, issuer, subject) + conn.update_entry(dn, entry_attrs, normalize=False) + conn.disconnect() +except Exception, e: + syslog.syslog(syslog.LOG_ERR, 'Updating agent entry failed: %s' % e) + sys.exit(1) + +# Store it in the IPA LDAP server +tmpdir = tempfile.mkdtemp(prefix = "tmp-") +try: + dn = str(DN(('cn','ipaCert'),('cn=ca_renewal,cn=ipa,cn=etc'),(api.env.basedn))) + principal = str('host/%s@%s' % (api.env.host, api.env.realm)) + ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal) + conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri) + conn.connect(ccache=ccache) + try: + (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate']) + entry_attrs['usercertificate'] = cert + conn.update_entry(dn, entry_attrs, normalize=False) + except errors.NotFound: + entry_attrs = dict(objectclass=['top', 'pkiuser', 'nscontainer'], + usercertificate=cert) + conn.add_entry(dn, entry_attrs, normalize=False) + except errors.EmptyModlist: + pass + conn.disconnect() +except Exception, e: + syslog.syslog(syslog.LOG_ERR, 'Updating renewal certificate failed: %s' % e) +finally: + shutil.rmtree(tmpdir) + +# Now restart Apache so the new certificate is available +try: + ipaservices.knownservices.httpd.restart() +except Exception, e: + syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % str(e)) diff --git a/install/restart_scripts/restart_dirsrv b/install/restart_scripts/restart_dirsrv index e243583f9..d6bbbbc3f 100644 --- a/install/restart_scripts/restart_dirsrv +++ b/install/restart_scripts/restart_dirsrv @@ -1,5 +1,26 @@ #!/usr/bin/python -E +# +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# +# Copyright (C) 2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + import sys +import syslog from ipapython import services as ipaservices try: @@ -7,7 +28,9 @@ try: except IndexError: instance = "" +syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted dirsrv instance '%s'" % instance) + try: ipaservices.knownservices.dirsrv.restart(instance) except Exception, e: - print "Cannot restart dirsrv (instance: '%s'): %s" % (instance, str(e)) + syslog.syslog(syslog.LOG_ERR, "Cannot restart dirsrv (instance: '%s'): %s" % (instance, str(e))) diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index a53ab6e62..96f80bd8e 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -1,7 +1,30 @@ #!/usr/bin/python -E +# +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# +# Copyright (C) 2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import syslog from ipapython import services as ipaservices +syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') + try: ipaservices.knownservices.httpd.restart() except Exception, e: - print "Cannot restart httpd: %s" % str(e) + syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % str(e)) diff --git a/install/restart_scripts/restart_pkicad b/install/restart_scripts/restart_pkicad new file mode 100644 index 000000000..070760b16 --- /dev/null +++ b/install/restart_scripts/restart_pkicad @@ -0,0 +1,50 @@ +#!/usr/bin/python -E +# +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# +# Copyright (C) 2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import sys +import syslog +from ipapython import services as ipaservices +from ipaserver.install import certs +from ipalib import api + +nickname = sys.argv[1] + +api.bootstrap(context='restart') +api.finalize() + +syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted pki-cad, nickname '%s'" % nickname) + +# Fix permissions on the audit cert if we're updating it +if nickname == 'auditSigningCert cert-pki-ca': + db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias') + args = ['-M', + '-n', nickname, + '-t', 'u,u,Pu', + ] + db.run_certutil(args) + +try: + # I've seen times where systemd restart does not actually restart + # the process. A full stop/start is required. This works around that + ipaservices.knownservices.pki_cad.stop('pki-ca') + ipaservices.knownservices.pki_cad.start('pki-ca') +except Exception, e: + syslog.syslog(syslog.LOG_ERR, "Cannot restart pki-cad: %s" % str(e)) |