#!/usr/bin/python -E # # Authors: # Rob Crittenden # # Copyright (C) 2012 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . import os import sys import shutil import tempfile import krbV import syslog import random import time from ipalib import api from ipapython.dn import DN from ipalib import errors from ipapython import services as ipaservices from ipapython import ipautil from ipaserver.install import certs from ipaserver.plugins.ldap2 import ldap2 from ipaserver.install.cainstance import update_cert_config # This script a post-cert-install command for certmonger. When certmonger # has renewed a CA subsystem certificate a copy is put into the replicated # tree so it can be shared with the other IPA servers. nickname = sys.argv[1] api.bootstrap(context='restart') api.finalize() # Fetch the new certificate db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias') cert = db.get_cert_from_db(nickname, pem=False) if not cert: syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname) sys.exit(1) # Update or add it tmpdir = tempfile.mkdtemp(prefix = "tmp-") try: dn = DN(('cn',nickname), ('cn', 'ca_renewal'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) principal = str('host/%s@%s' % (api.env.host, api.env.realm)) ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal) conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri) conn.connect(ccache=ccache) try: (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate']) entry_attrs['usercertificate'] = cert conn.update_entry(dn, entry_attrs, normalize=False) except errors.NotFound: entry_attrs = dict(objectclass=['top', 'pkiuser', 'nscontainer'], usercertificate=cert) conn.add_entry(dn, entry_attrs, normalize=False) except errors.EmptyModlist: pass conn.disconnect() except Exception, e: syslog.syslog(syslog.LOG_ERR, 'Updating renewal certificate failed: %s' % e) finally: shutil.rmtree(tmpdir) # Fix permissions on the audit cert if we're updating it if nickname == 'auditSigningCert cert-pki-ca': db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias') args = ['-M', '-n', nickname, '-t', 'u,u,Pu', ] try: db.run_certutil(args) except ipautil.CalledProcessError: syslog.syslog(syslog.LOG_ERR, 'Updating trust on certificate %s failed in %s' % (nickname, db.secdir)) update_cert_config(nickname, cert) syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted pki-cad instance pki-ca to renew %s' % nickname) # We monitor 3 certs that are all likely to be renewed by certmonger more or # less at the same time. Each cert renewal is going to need to restart # the CA. Add a bit of randomness in this so not all three try to start it # at the same time. A restart is needed for each because there is no guarantee # that they will all be renewed at the same time. pause = random.randint(10,360) syslog.syslog(syslog.LOG_NOTICE, 'Pausing %d seconds to restart pki-ca' % pause) time.sleep(pause) try: ipaservices.knownservices.pki_cad.restart('pki-ca') except Exception, e: syslog.syslog(syslog.LOG_ERR, "Cannot restart pki-cad: %s" % str(e))