From 6980b073035cdd43b30b58aba3ce7f84f16a14ad Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Fri, 11 Jul 2008 11:34:29 -0400 Subject: Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402 --- ipa-server/ipa-install/ipa-replica-install | 7 ++- ipa-server/ipa-install/ipa-replica-prepare | 75 +++++++++++++++++++++---- ipa-server/ipa-install/ipa-server-certinstall | 61 ++++++++++---------- ipa-server/ipa-install/ipa-server-install | 80 ++++++++++++++++++++++----- 4 files changed, 164 insertions(+), 59 deletions(-) (limited to 'ipa-server/ipa-install') diff --git a/ipa-server/ipa-install/ipa-replica-install b/ipa-server/ipa-install/ipa-replica-install index a2798bb24..31fd4ccd6 100644 --- a/ipa-server/ipa-install/ipa-replica-install +++ b/ipa-server/ipa-install/ipa-replica-install @@ -103,7 +103,7 @@ def install_ds(config): pkcs12_info = None if ipautil.file_exists(config.dir + "/dscert.p12"): pkcs12_info = (config.dir + "/dscert.p12", - config.dir + "/pwdfile.txt") + config.dir + "/dirsrv_pin.txt") ds = dsinstance.DsInstance() ds.create_instance(config.ds_user, config.realm_name, config.host_name, config.domain_name, config.dirman_password, pkcs12_info) @@ -125,7 +125,7 @@ def install_http(config): pkcs12_info = None if ipautil.file_exists(config.dir + "/httpcert.p12"): pkcs12_info = (config.dir + "/httpcert.p12", - config.dir + "/pwdfile.txt") + config.dir + "/http_pin.txt") http = httpinstance.HTTPInstance() http.create_instance(config.realm_name, config.host_name, config.domain_name, False, pkcs12_info) @@ -174,6 +174,9 @@ def main(): options, filename = parse_options() installutils.standard_logging_setup("/var/log/ipareplica-install.log", options.debug) + if not ipautil.file_exists(filename): + sys.exit("Replica file %s does not exist" % filename) + check_dirsrv() top_dir, dir = expand_info(filename) diff --git a/ipa-server/ipa-install/ipa-replica-prepare b/ipa-server/ipa-install/ipa-replica-prepare index 8b5ff2269..8f551ee9b 100644 --- a/ipa-server/ipa-install/ipa-replica-prepare +++ b/ipa-server/ipa-install/ipa-replica-prepare @@ -40,8 +40,26 @@ def parse_options(): parser = OptionParser(version=version.VERSION) args = ipa.config.init_config(sys.argv) + + parser.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12", + help="install certificate for the directory server") + parser.add_option("--http_pkcs12", dest="http_pkcs12", + help="install certificate for the http server") + parser.add_option("--dirsrv_pin", dest="dirsrv_pin", + help="PIN for the Directory Server PKCS#12 file") + parser.add_option("--http_pin", dest="http_pin", + help="PIN for the Apache Server PKCS#12 file") + options, args = parser.parse_args(args) + # If any of the PKCS#12 options are selected, all are required. Create a + # list of the options and count it to enforce that all are required without + # having a huge set of it blocks. + pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin] + cnt = pkcs12.count(None) + if cnt > 0 and cnt < 4: + parser.error("error: All PKCS#12 options are required if any are used.") + if len(args) != 2: parser.error("must provide the fully-qualified name of the replica") @@ -79,10 +97,11 @@ def check_ipa_configuration(realm_name): logging.error("could not find directory instance: %s" % config_dir) sys.exit(1) -def export_certdb(realm_name, ds_dir, dir, fname, subject): +def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, subject): """realm is the kerberos realm for the IPA server. ds_dir is the location of the master DS we are creating a replica for. dir is the location of the files for the replica we are creating. + passwd_fname is the file containing the PKCS#12 password fname is the filename of the PKCS#12 file for this cert (minus the .p12). subject is the subject of the certificate we are creating """ @@ -95,10 +114,6 @@ def export_certdb(realm_name, ds_dir, dir, fname, subject): raise e pkcs12_fname = dir + "/" + fname + ".p12" - passwd_fname = dir + "/pwdfile.txt" - fd = open(passwd_fname, "w") - fd.write("\n") - fd.close() try: ca.export_pkcs12(pkcs12_fname, passwd_fname, "Server-Cert") @@ -150,6 +165,9 @@ def main(): replica_fqdn = args[1] + if not ipautil.file_exists("/usr/share/ipa/serial") and not options.dirsrv_pin: + sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.") + print "Determining current realm name" realm_name = get_realm_name() if realm_name is None: @@ -177,10 +195,47 @@ def main(): dir = top_dir + "/realm_info" os.mkdir(dir, 0700) - print "Creating SSL certificate for the Directory Server" - export_certdb(realm_name, ds_dir, dir, "dscert", "cn=%s,ou=Fedora Directory Server" % replica_fqdn) - print "Creating SSL certificate for the Web Server" - export_certdb(realm_name, ds_dir, dir, "httpcert", "cn=%s,ou=Apache Web Server" % replica_fqdn) + if options.dirsrv_pin: + passwd = options.dirsrv_pin + else: + passwd = "" + + passwd_fname = dir + "/dirsrv_pin.txt" + fd = open(passwd_fname, "w") + fd.write("%s\n" % passwd) + fd.close() + + if options.dirsrv_pkcs12: + print "Copying SSL certificate for the Directory Server from %s" % options.dirsrv_pkcs12 + try: + shutil.copy(options.dirsrv_pkcs12, dir + "/dscert.p12") + except IOError, e: + print "Copy failed %s" % e + sys.exit(1) + else: + print "Creating SSL certificate for the Directory Server" + export_certdb(realm_name, ds_dir, dir, passwd_fname, "dscert", "cn=%s,ou=Fedora Directory Server" % replica_fqdn) + + if options.http_pin: + passwd = options.http_pin + else: + passwd = "" + + passwd_fname = dir + "/http_pin.txt" + fd = open(passwd_fname, "w") + fd.write("%s\n" % passwd) + fd.close() + + if options.http_pkcs12: + print "Copying SSL certificate for the Web Server from %s" % options.http_pkcs12 + try: + shutil.copy(options.http_pkcs12, dir + "/httpcert.p12") + except IOError, e: + print "Copy failed %s" % e + sys.exit(1) + else: + print "Creating SSL certificate for the Web Server" + export_certdb(realm_name, ds_dir, dir, passwd_fname, "httpcert", "cn=%s,ou=Apache Web Server" % replica_fqdn) print "Copying additional files" copy_files(realm_name, dir) print "Finalizing configuration" @@ -195,8 +250,6 @@ def main(): try: if not os.geteuid()==0: sys.exit("\nYou must be root to run this script.\n") - if not ipautil.file_exists("/usr/share/ipa/serial"): - sys.exit("The replica must be created on the primary IPA server.") main() except SystemExit, e: diff --git a/ipa-server/ipa-install/ipa-server-certinstall b/ipa-server/ipa-install/ipa-server-certinstall index 89f89a587..835af0aa8 100644 --- a/ipa-server/ipa-install/ipa-server-certinstall +++ b/ipa-server/ipa-install/ipa-server-certinstall @@ -21,6 +21,7 @@ import sys import os import pwd +import tempfile import traceback @@ -40,12 +41,18 @@ def parse_options(): default=False, help="install certificate for the directory server") parser.add_option("-w", "--http", dest="http", action="store_true", default=False, help="install certificate for the http server") - + parser.add_option("--dirsrv_pin", dest="dirsrv_pin", + help="The password of the Directory Server PKCS#12 file") + parser.add_option("--http_pin", dest="http_pin", + help="The password of the Apache Server PKCS#12 file") options, args = parser.parse_args() if not options.dirsrv and not options.http: parser.error("you must specify dirsrv and/or http") + if ((options.dirsrv and not options.dirsrv_pin) or + (options.http and not options.http_pin)): + parser.error("you must provide the password for the PKCS#12 file") if len(args) != 1: parser.error("you must provide a pkcs12 filename") @@ -62,30 +69,13 @@ def set_ds_cert_name(cert_name, dm_password): conn.unbind() -def set_http_cert_name(cert_name): - # find the existing cert name - fd = open(httpinstance.NSS_CONF) - nick_name = None - file = [] - for line in fd: - if "NSSNickname" in line: - file.append('NSSNickname "%s"\n' % cert_name) - else: - file.append(line) - fd.close() - - fd = open(httpinstance.NSS_CONF, "w") - fd.write("".join(file)) - fd.close() - - def choose_server_cert(server_certs): print "Please select the certificate to use:" num = 1 for cert in server_certs: print "%d. %s" % (num, cert[0]) num += 1 - + cert_num = 0 while 1: cert_input = raw_input("Certificate number [1]: ") @@ -104,17 +94,24 @@ def choose_server_cert(server_certs): cert_num = num - 1 break return server_certs[cert_num] - -def import_cert(dirname, pkcs12_fname): + +def import_cert(dirname, pkcs12_fname, pkcs12_passwd, db_password): cdb = certs.CertDB(dirname) - cdb.create_passwd_file(False) + cdb.create_passwd_file(db_password) cdb.create_certdbs() + [pw_fd, pw_name] = tempfile.mkstemp() + os.write(pw_fd, pkcs12_passwd) + os.close(pw_fd) + try: - cdb.import_pkcs12(pkcs12_fname) - except RuntimeError, e: - print str(e) - sys.exit(1) + try: + cdb.import_pkcs12(pkcs12_fname, pw_name) + except RuntimeError, e: + print str(e) + sys.exit(1) + finally: + os.remove(pw_name) server_certs = cdb.find_server_certs() if len(server_certs) == 0: @@ -137,14 +134,17 @@ def main(): dm_password = getpass.getpass("Directory Manager password: ") realm = get_realm_name() dirname = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm)) - server_cert = import_cert(dirname, pkcs12_fname) + fd = open(dirname + "/pwdfile.txt") + passwd = fd.read() + fd.close() + + server_cert = import_cert(dirname, pkcs12_fname, options.dirsrv_pin, passwd) set_ds_cert_name(server_cert[0], dm_password) if options.http: dirname = httpinstance.NSS_DIR - server_cert = import_cert(dirname, pkcs12_fname) - print server_cert - set_http_cert_name(server_cert[0]) + server_cert = import_cert(dirname, pkcs12_fname, options.http_pin, "") + installutils.set_directive(httpinstance.NSS_CONF, 'NSSNickname', server_cert[0]) # Fix the database permissions os.chmod(dirname + "/cert8.db", 0640) @@ -163,5 +163,4 @@ def main(): return 0 - sys.exit(main()) diff --git a/ipa-server/ipa-install/ipa-server-install b/ipa-server/ipa-install/ipa-server-install index a48fca84b..8b5b831c7 100644 --- a/ipa-server/ipa-install/ipa-server-install +++ b/ipa-server/ipa-install/ipa-server-install @@ -50,6 +50,8 @@ from ipaserver.installutils import * from ipa import sysrestore from ipa.ipautil import * +pw_name = None + def parse_options(): parser = OptionParser(version=version.VERSION) parser.add_option("-u", "--user", dest="ds_user", @@ -76,6 +78,14 @@ def parse_options(): default=False, help="uninstall an existing installation") parser.add_option("-N", "--no-ntp", dest="conf_ntp", action="store_false", help="do not configure ntp", default=True) + parser.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12", + help="PKCS#12 file containing the Directory Server SSL certificate") + parser.add_option("--http_pkcs12", dest="http_pkcs12", + help="PKCS#12 file containing the Apache Server SSL certificate") + parser.add_option("--dirsrv_pin", dest="dirsrv_pin", + help="The password of the Directory Server PKCS#12 file") + parser.add_option("--http_pin", dest="http_pin", + help="The password of the Apache Server PKCS#12 file") options, args = parser.parse_args() @@ -89,6 +99,14 @@ def parse_options(): not options.dm_password or not options.admin_password): parser.error("error: In unattended mode you need to provide at least -u, -r, -p and -a options") + # If any of the PKCS#12 options are selected, all are required. Create a + # list of the options and count it to enforce that all are required without + # having a huge set of it blocks. + pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin] + cnt = pkcs12.count(None) + if cnt > 0 and cnt < 4: + parser.error("error: All PKCS#12 options are required if any are used.") + return options def signal_handler(signum, frame): @@ -312,6 +330,7 @@ def uninstall(): def main(): global ds + global pw_name ds = None options = parse_options() @@ -486,17 +505,38 @@ def main(): ntp = ipaserver.ntpinstance.NTPInstance(fstore) ntp.create_instance() + if options.dirsrv_pin: + [pw_fd, pw_name] = tempfile.mkstemp() + os.write(pw_fd, options.dirsrv_pin) + os.close(pw_fd) + # Create a directory server instance ds = ipaserver.dsinstance.DsInstance() - ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password) + if options.dirsrv_pkcs12: + pkcs12_info = (options.dirsrv_pkcs12, pw_name) + ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, pkcs12_info) + os.remove(pw_name) + else: + ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password) # Create a kerberos instance krb = ipaserver.krbinstance.KrbInstance(fstore) krb.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, master_password) # Create a HTTP instance + + if options.http_pin: + [pw_fd, pw_name] = tempfile.mkstemp() + os.write(pw_fd, options.http_pin) + os.close(pw_fd) + http = ipaserver.httpinstance.HTTPInstance(fstore) - http.create_instance(realm_name, host_name, domain_name) + if options.http_pkcs12: + pkcs12_info = (options.http_pkcs12, pw_name) + http.create_instance(realm_name, host_name, domain_name, False, pkcs12_info) + os.remove(pw_name) + else: + http.create_instance(realm_name, host_name, domain_name, False) # Create the config file fstore.backup_file("/etc/ipa/ipa.conf") @@ -563,20 +603,30 @@ def main(): print "\t and servers for correct operation. You should consider enabling ntpd." print "" - print "Be sure to back up the CA certificate stored in " + ipaserver.dsinstance.config_dirname(ds.serverid) + "cacert.p12" - print "The password for this file is in " + ipaserver.dsinstance.config_dirname(ds.serverid) + "pwdfile.txt" + if not options.dirsrv_pkcs12: + print "Be sure to back up the CA certificate stored in " + ipaserver.dsinstance.config_dirname(ds.serverid) + "cacert.p12" + print "The password for this file is in " + ipaserver.dsinstance.config_dirname(ds.serverid) + "pwdfile.txt" + else: + print "In order for Firefox autoconfiguration to work you will need to" + print "use a SSL signing certificate. See the IPA documentation for more details." + print "You also need to install a PEM copy of the HTTP issuing CA into" + print "/usr/share/ipa/html/ca.crt" return 0 try: - sys.exit(main()) -except SystemExit, e: - sys.exit(e) -except Exception, e: - message = "Unexpected error - see ipaserver-install.log for details:\n %s" % str(e) - print message - message = str(e) - for str in traceback.format_tb(sys.exc_info()[2]): - message = message + "\n" + str - logging.debug(message) - sys.exit(1) + try: + sys.exit(main()) + except SystemExit, e: + sys.exit(e) + except Exception, e: + message = "Unexpected error - see ipaserver-install.log for details:\n %s" % str(e) + print message + message = str(e) + for str in traceback.format_tb(sys.exc_info()[2]): + message = message + "\n" + str + logging.debug(message) + sys.exit(1) +finally: + if pw_name and ipautil.file_exists(pw_name): + os.remove(pw_name) -- cgit