1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
|
#!/usr/bin/python2 -E
#
# Authors:
# Rob Crittenden <rcritten@redhat.com>
# Jan Cholasta <jcholast@redhat.com>
#
# Copyright (C) 2013 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import sys
import os
import syslog
import tempfile
import shutil
import traceback
from ipapython import dogtag, certmonger, ipautil
from ipapython.dn import DN
from ipalib import api, errors, x509, certstore
from ipaserver.install import certs, cainstance, installutils
from ipaserver.plugins.ldap2 import ldap2
from ipaplatform import services
from ipaplatform.paths import paths
def main():
nickname = sys.argv[1]
api.bootstrap(context='restart')
api.finalize()
configured_constants = dogtag.configured_constants(api)
alias_dir = configured_constants.ALIAS_DIR
dogtag_service = services.knownservices[configured_constants.SERVICE_NAME]
dogtag_instance = configured_constants.PKI_INSTANCE_NAME
# dogtag opens its NSS database in read/write mode so we need it
# shut down so certmonger can open it read/write mode. This avoids
# database corruption. It should already be stopped by the pre-command
# but lets be sure.
if dogtag_service.is_running(dogtag_instance):
syslog.syslog(
syslog.LOG_NOTICE, "Stopping %s" % dogtag_service.service_name)
try:
dogtag_service.stop(dogtag_instance)
except Exception, e:
syslog.syslog(
syslog.LOG_ERR,
"Cannot stop %s: %s" % (dogtag_service.service_name, e))
else:
syslog.syslog(
syslog.LOG_NOTICE, "Stopped %s" % dogtag_service.service_name)
# Fetch the new certificate
db = certs.CertDB(api.env.realm, nssdir=alias_dir)
cert = db.get_cert_from_db(nickname, pem=False)
if not cert:
syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname)
sys.exit(1)
cainstance.update_cert_config(nickname, cert, configured_constants)
tmpdir = tempfile.mkdtemp(prefix="tmp-")
try:
principal = str('host/%s@%s' % (api.env.host, api.env.realm))
ccache = ipautil.kinit_hostprincipal(paths.KRB5_KEYTAB, tmpdir,
principal)
ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False)
if ca.is_renewal_master():
cainstance.update_people_entry(cert)
if nickname == 'auditSigningCert cert-pki-ca':
# Fix trust on the audit cert
try:
db.run_certutil(['-M',
'-n', nickname,
'-t', 'u,u,Pu'])
syslog.syslog(
syslog.LOG_NOTICE,
"Updated trust on certificate %s in %s" %
(nickname, db.secdir))
except ipautil.CalledProcessError:
syslog.syslog(
syslog.LOG_ERR,
"Updating trust on certificate %s failed in %s" %
(nickname, db.secdir))
elif nickname == 'caSigningCert cert-pki-ca':
# Update CS.cfg
cfg_path = configured_constants.CS_CFG_PATH
config = installutils.get_directive(
cfg_path, 'subsystem.select', '=')
if config == 'New':
syslog.syslog(syslog.LOG_NOTICE, "Updating CS.cfg")
if x509.is_self_signed(cert, x509.DER):
installutils.set_directive(
cfg_path, 'hierarchy.select', 'Root',
quotes=False, separator='=')
installutils.set_directive(
cfg_path, 'subsystem.count', '1',
quotes=False, separator='=')
else:
installutils.set_directive(
cfg_path, 'hierarchy.select', 'Subordinate',
quotes=False, separator='=')
installutils.set_directive(
cfg_path, 'subsystem.count', '0',
quotes=False, separator='=')
else:
syslog.syslog(syslog.LOG_NOTICE, "Not updating CS.cfg")
# Remove old external CA certificates
for ca_nick, ca_flags in db.list_certs():
if 'u' in ca_flags:
continue
# Delete *all* certificates that use the nickname
while True:
try:
db.delete_cert(ca_nick)
except ipautil.CalledProcessError:
syslog.syslog(
syslog.LOG_ERR,
"Failed to remove certificate %s" % ca_nick)
break
if not db.has_nickname(ca_nick):
break
conn = None
try:
conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri)
conn.connect(ccache=ccache)
except Exception, e:
syslog.syslog(
syslog.LOG_ERR, "Failed to connect to LDAP: %s" % e)
else:
# Update CA certificate in LDAP
if ca.is_renewal_master():
try:
certstore.update_ca_cert(conn, api.env.basedn, cert)
except errors.EmptyModlist:
pass
except Exception, e:
syslog.syslog(
syslog.LOG_ERR,
"Updating CA certificate failed: %s" % e)
# Add external CA certificates
ca_issuer = str(x509.get_issuer(cert, x509.DER))
try:
ca_certs = certstore.get_ca_certs(
conn, api.env.basedn, api.env.realm, False,
filter_subject=ca_issuer)
except Exception, e:
syslog.syslog(
syslog.LOG_ERR,
"Failed to get external CA certificates from LDAP: "
"%s" % e)
ca_certs = []
for ca_cert, ca_nick, ca_trusted, ca_eku in ca_certs:
ca_subject = DN(str(x509.get_subject(ca_cert, x509.DER)))
nick_base = ' - '.join(rdn[-1].value for rdn in ca_subject)
nick = nick_base
i = 1
while db.has_nickname(nick):
nick = '%s [%s]' % (nick_base, i)
i += 1
if ca_trusted is False:
flags = 'p,p,p'
else:
flags = 'CT,c,'
try:
db.add_cert(ca_cert, nick, flags)
except ipautil.CalledProcessError, e:
syslog.syslog(
syslog.LOG_ERR,
"Failed to add certificate %s" % ca_nick)
finally:
if conn is not None and conn.isconnected():
conn.disconnect()
finally:
shutil.rmtree(tmpdir)
# Now we can start the CA. Using the services start should fire
# off the servlet to verify that the CA is actually up and responding so
# when this returns it should be good-to-go. The CA was stopped in the
# pre-save state.
syslog.syslog(syslog.LOG_NOTICE, 'Starting %s' % dogtag_service.service_name)
try:
dogtag_service.start(dogtag_instance)
except Exception, e:
syslog.syslog(
syslog.LOG_ERR,
"Cannot start %s: %s" % (dogtag_service.service_name, e))
else:
syslog.syslog(
syslog.LOG_NOTICE, "Started %s" % dogtag_service.service_name)
try:
main()
except Exception:
syslog.syslog(syslog.LOG_ERR, traceback.format_exc())
|
