#!/usr/bin/python -E # # Authors: # Rob Crittenden # # Copyright (C) 2012 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . import sys import shutil import tempfile import syslog from ipapython import services as ipaservices from ipapython.certmonger import get_pin from ipapython import ipautil from ipaserver.install import certs from ipaserver.install.cainstance import DEFAULT_DSPORT from ipalib import api from ipapython.dn import DN from ipalib import x509 from ipalib import errors from ipaserver.plugins.ldap2 import ldap2 api.bootstrap(context='restart') api.finalize() # Fetch the new certificate db = certs.CertDB(api.env.realm) cert = db.get_cert_from_db('ipaCert', pem=False) serial_number = x509.get_serial_number(cert, datatype=x509.DER) subject = x509.get_subject(cert, datatype=x509.DER) issuer = x509.get_issuer(cert, datatype=x509.DER) # Load it into dogtag dn = DN(('uid','ipara'),('ou','People'),('o','ipaca')) try: dm_password = get_pin('internaldb') except IOError, e: syslog.syslog(syslog.LOG_ERR, 'Unable to determine PIN for CA instance: %s' % e) sys.exit(1) try: conn = ldap2(shared_instance=False, ldap_uri='ldap://localhost:%d' % DEFAULT_DSPORT) conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=dm_password) (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'], normalize=False) entry_attrs['usercertificate'].append(cert) entry_attrs['description'] = '2;%d;%s;%s' % (serial_number, issuer, subject) conn.update_entry(dn, entry_attrs, normalize=False) conn.disconnect() except Exception, e: syslog.syslog(syslog.LOG_ERR, 'Updating agent entry failed: %s' % e) sys.exit(1) # Store it in the IPA LDAP server tmpdir = tempfile.mkdtemp(prefix = "tmp-") try: dn = DN(('cn','ipaCert'), ('cn', 'ca_renewal'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) principal = str('host/%s@%s' % (api.env.host, api.env.realm)) ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal) conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri) conn.connect(ccache=ccache) try: (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate']) entry_attrs['usercertificate'] = cert conn.update_entry(dn, entry_attrs, normalize=False) except errors.NotFound: entry_attrs = dict(objectclass=['top', 'pkiuser', 'nscontainer'], usercertificate=cert) conn.add_entry(dn, entry_attrs, normalize=False) except errors.EmptyModlist: pass conn.disconnect() except Exception, e: syslog.syslog(syslog.LOG_ERR, 'Updating renewal certificate failed: %s' % e) finally: shutil.rmtree(tmpdir) # Now restart Apache so the new certificate is available try: ipaservices.knownservices.httpd.restart() except Exception, e: syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % str(e))