summaryrefslogtreecommitdiffstats
path: root/install/restart_scripts
diff options
context:
space:
mode:
Diffstat (limited to 'install/restart_scripts')
-rw-r--r--install/restart_scripts/Makefile.am3
-rw-r--r--install/restart_scripts/renew_ca_cert93
-rw-r--r--install/restart_scripts/renew_ra_cert96
-rw-r--r--install/restart_scripts/restart_dirsrv25
-rw-r--r--install/restart_scripts/restart_httpd25
-rw-r--r--install/restart_scripts/restart_pkicad50
6 files changed, 290 insertions, 2 deletions
diff --git a/install/restart_scripts/Makefile.am b/install/restart_scripts/Makefile.am
index abc066b30..210c4863e 100644
--- a/install/restart_scripts/Makefile.am
+++ b/install/restart_scripts/Makefile.am
@@ -4,6 +4,9 @@ appdir = $(libdir)/ipa/certmonger
app_DATA = \
restart_dirsrv \
restart_httpd \
+ restart_pkicad \
+ renew_ca_cert \
+ renew_ra_cert \
$(NULL)
EXTRA_DIST = \
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
new file mode 100644
index 000000000..d3b756042
--- /dev/null
+++ b/install/restart_scripts/renew_ca_cert
@@ -0,0 +1,93 @@
+#!/usr/bin/python -E
+#
+# Authors:
+# Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2012 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import sys
+import shutil
+import tempfile
+import krbV
+import syslog
+from ipalib import api
+from ipalib.dn import DN
+from ipalib import errors
+from ipapython import services as ipaservices
+from ipapython import ipautil
+from ipaserver.install import certs
+from ipaserver.plugins.ldap2 import ldap2
+from ipaserver.install.cainstance import update_cert_config
+
+nickname = sys.argv[1]
+
+api.bootstrap(context='restart')
+api.finalize()
+
+# Fetch the new certificate
+db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias')
+cert = db.get_cert_from_db(nickname, pem=False)
+
+if not cert:
+ syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname)
+ sys.exit(1)
+
+# Update or add it
+tmpdir = tempfile.mkdtemp(prefix = "tmp-")
+try:
+ dn = str(DN(('cn',nickname),('cn=ca_renewal,cn=ipa,cn=etc'),(api.env.basedn)))
+ principal = str('host/%s@%s' % (api.env.host, api.env.realm))
+ ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal)
+ conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri)
+ conn.connect(ccache=ccache)
+ try:
+ (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'])
+ entry_attrs['usercertificate'] = cert
+ conn.update_entry(dn, entry_attrs, normalize=False)
+ except errors.NotFound:
+ entry_attrs = dict(objectclass=['top', 'pkiuser', 'nscontainer'],
+ usercertificate=cert)
+ conn.add_entry(dn, entry_attrs, normalize=False)
+ except errors.EmptyModlist:
+ pass
+ conn.disconnect()
+except Exception, e:
+ syslog.syslog(syslog.LOG_ERR, 'Updating renewal certificate failed: %s' % e)
+finally:
+ shutil.rmtree(tmpdir)
+
+# Fix permissions on the audit cert if we're updating it
+if nickname == 'auditSigningCert cert-pki-ca':
+ db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias')
+ args = ['-M',
+ '-n', nickname,
+ '-t', 'u,u,Pu',
+ ]
+ try:
+ db.run_certutil(args)
+ except ipautil.CalledProcessError:
+ syslog.syslog(syslog.LOG_ERR, 'Updating trust on certificate %s failed in %s' % (nickname, db.secdir))
+
+update_cert_config(nickname, cert)
+
+syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted pki-cad instance pki-ca')
+
+try:
+ ipaservices.knownservices.pki_cad.restart('pki-ca')
+except Exception, e:
+ syslog.syslog(syslog.LOG_ERR, "Cannot restart pki-cad: %s" % str(e))
diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert
new file mode 100644
index 000000000..2fcf1a79b
--- /dev/null
+++ b/install/restart_scripts/renew_ra_cert
@@ -0,0 +1,96 @@
+#!/usr/bin/python -E
+#
+# Authors:
+# Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2012 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import sys
+import shutil
+import tempfile
+import syslog
+from ipapython import services as ipaservices
+from ipapython.certmonger import get_pin
+from ipapython import ipautil
+from ipaserver.install import certs
+from ipaserver.install.cainstance import DEFAULT_DSPORT
+from ipalib import api
+from ipalib.dn import DN
+from ipalib import x509
+from ipalib import errors
+from ipaserver.plugins.ldap2 import ldap2
+
+api.bootstrap(context='restart')
+api.finalize()
+
+# Fetch the new certificate
+db = certs.CertDB(api.env.realm)
+cert = db.get_cert_from_db('ipaCert', pem=False)
+serial_number = x509.get_serial_number(cert, datatype=x509.DER)
+subject = x509.get_subject(cert, datatype=x509.DER)
+issuer = x509.get_issuer(cert, datatype=x509.DER)
+
+# Load it into dogtag
+dn = str(DN(('uid','ipara'),('ou','People'),('o','ipaca')))
+
+try:
+ dm_password = get_pin('internaldb')
+except IOError, e:
+ syslog.syslog(syslog.LOG_ERR, 'Unable to determine PIN for CA instance: %s' % e)
+ sys.exit(1)
+
+try:
+ conn = ldap2(shared_instance=False, ldap_uri='ldap://localhost:%d' % DEFAULT_DSPORT)
+ conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
+ (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'], normalize=False)
+ entry_attrs['usercertificate'].append(cert)
+ entry_attrs['description'] = '2;%d;%s;%s' % (serial_number, issuer, subject)
+ conn.update_entry(dn, entry_attrs, normalize=False)
+ conn.disconnect()
+except Exception, e:
+ syslog.syslog(syslog.LOG_ERR, 'Updating agent entry failed: %s' % e)
+ sys.exit(1)
+
+# Store it in the IPA LDAP server
+tmpdir = tempfile.mkdtemp(prefix = "tmp-")
+try:
+ dn = str(DN(('cn','ipaCert'),('cn=ca_renewal,cn=ipa,cn=etc'),(api.env.basedn)))
+ principal = str('host/%s@%s' % (api.env.host, api.env.realm))
+ ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal)
+ conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri)
+ conn.connect(ccache=ccache)
+ try:
+ (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'])
+ entry_attrs['usercertificate'] = cert
+ conn.update_entry(dn, entry_attrs, normalize=False)
+ except errors.NotFound:
+ entry_attrs = dict(objectclass=['top', 'pkiuser', 'nscontainer'],
+ usercertificate=cert)
+ conn.add_entry(dn, entry_attrs, normalize=False)
+ except errors.EmptyModlist:
+ pass
+ conn.disconnect()
+except Exception, e:
+ syslog.syslog(syslog.LOG_ERR, 'Updating renewal certificate failed: %s' % e)
+finally:
+ shutil.rmtree(tmpdir)
+
+# Now restart Apache so the new certificate is available
+try:
+ ipaservices.knownservices.httpd.restart()
+except Exception, e:
+ syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % str(e))
diff --git a/install/restart_scripts/restart_dirsrv b/install/restart_scripts/restart_dirsrv
index e243583f9..d6bbbbc3f 100644
--- a/install/restart_scripts/restart_dirsrv
+++ b/install/restart_scripts/restart_dirsrv
@@ -1,5 +1,26 @@
#!/usr/bin/python -E
+#
+# Authors:
+# Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2012 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
import sys
+import syslog
from ipapython import services as ipaservices
try:
@@ -7,7 +28,9 @@ try:
except IndexError:
instance = ""
+syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted dirsrv instance '%s'" % instance)
+
try:
ipaservices.knownservices.dirsrv.restart(instance)
except Exception, e:
- print "Cannot restart dirsrv (instance: '%s'): %s" % (instance, str(e))
+ syslog.syslog(syslog.LOG_ERR, "Cannot restart dirsrv (instance: '%s'): %s" % (instance, str(e)))
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index a53ab6e62..96f80bd8e 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -1,7 +1,30 @@
#!/usr/bin/python -E
+#
+# Authors:
+# Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2012 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import syslog
from ipapython import services as ipaservices
+syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
+
try:
ipaservices.knownservices.httpd.restart()
except Exception, e:
- print "Cannot restart httpd: %s" % str(e)
+ syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % str(e))
diff --git a/install/restart_scripts/restart_pkicad b/install/restart_scripts/restart_pkicad
new file mode 100644
index 000000000..070760b16
--- /dev/null
+++ b/install/restart_scripts/restart_pkicad
@@ -0,0 +1,50 @@
+#!/usr/bin/python -E
+#
+# Authors:
+# Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2012 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import sys
+import syslog
+from ipapython import services as ipaservices
+from ipaserver.install import certs
+from ipalib import api
+
+nickname = sys.argv[1]
+
+api.bootstrap(context='restart')
+api.finalize()
+
+syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted pki-cad, nickname '%s'" % nickname)
+
+# Fix permissions on the audit cert if we're updating it
+if nickname == 'auditSigningCert cert-pki-ca':
+ db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias')
+ args = ['-M',
+ '-n', nickname,
+ '-t', 'u,u,Pu',
+ ]
+ db.run_certutil(args)
+
+try:
+ # I've seen times where systemd restart does not actually restart
+ # the process. A full stop/start is required. This works around that
+ ipaservices.knownservices.pki_cad.stop('pki-ca')
+ ipaservices.knownservices.pki_cad.start('pki-ca')
+except Exception, e:
+ syslog.syslog(syslog.LOG_ERR, "Cannot restart pki-cad: %s" % str(e))
generated by cgit (git 2.34.1) at 2024-06-11 21:55:15 +0000