summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJan Cholasta <jcholast@redhat.com>2013-07-04 15:45:42 +0000
committerPetr Viktorin <pviktori@redhat.com>2013-08-20 16:18:59 +0200
commit2b08168df4a1cb1e91cf9600641ed13b971d85be (patch)
tree30616341bc0eeb85c3da941174116ef7b12389fa
parentce711ddad8900fcf70e717e98cd325621b69da18 (diff)
downloadfreeipa-2b08168df4a1cb1e91cf9600641ed13b971d85be.tar.gz
freeipa-2b08168df4a1cb1e91cf9600641ed13b971d85be.tar.xz
freeipa-2b08168df4a1cb1e91cf9600641ed13b971d85be.zip
Port ipa-server-certinstall to the admintool framework.
Change the log file path from /var/log/ipa/default.log to admintool's default path. https://fedorahosted.org/freeipa/ticket/3641
-rwxr-xr-xinstall/tools/ipa-server-certinstall145
-rw-r--r--ipaserver/install/ipa_server_certinstall.py154
2 files changed, 158 insertions, 141 deletions
diff --git a/install/tools/ipa-server-certinstall b/install/tools/ipa-server-certinstall
index 01a7ac097..9bb0ef850 100755
--- a/install/tools/ipa-server-certinstall
+++ b/install/tools/ipa-server-certinstall
@@ -1,7 +1,7 @@
#! /usr/bin/python -E
-# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
+# Authors: Jan Cholasta <jcholast@redhat.com>
#
-# Copyright (C) 2007 Red Hat
+# Copyright (C) 2013 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
@@ -18,143 +18,6 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
-import sys
-import os
-import pwd
-import tempfile
+from ipaserver.install.ipa_server_certinstall import ServerCertInstall
-import traceback
-
-import krbV
-
-from ipapython.ipautil import user_input
-
-from ipaserver.install import certs, dsinstance, httpinstance, installutils
-from ipalib import api
-from ipapython import admintool
-from ipapython.ipa_log_manager import *
-from ipapython.dn import DN
-from ipaserver.plugins.ldap2 import ldap2
-
-CACERT = "/etc/ipa/ca.crt"
-
-def get_realm_name():
- c = krbV.default_context()
- return c.default_realm
-
-def parse_options():
- from optparse import OptionParser
- parser = OptionParser()
-
- parser.add_option("-d", "--dirsrv", dest="dirsrv", action="store_true",
- default=False, help="install certificate for the directory server")
- parser.add_option("-w", "--http", dest="http", action="store_true",
- default=False, help="install certificate for the http server")
- parser.add_option("--dirsrv_pin", dest="dirsrv_pin",
- help="The password of the Directory Server PKCS#12 file")
- parser.add_option("--http_pin", dest="http_pin",
- help="The password of the Apache Server PKCS#12 file")
-
- options, args = parser.parse_args()
-
- if not options.dirsrv and not options.http:
- parser.error("you must specify dirsrv and/or http")
- if ((options.dirsrv and not options.dirsrv_pin) or
- (options.http and not options.http_pin)):
- parser.error("you must provide the password for the PKCS#12 file")
-
- if len(args) != 1:
- parser.error("you must provide a pkcs12 filename")
-
- return options, args[0]
-
-def set_ds_cert_name(cert_name, dm_password):
- conn = ldap2(shared_instance=False, base_dn='')
- conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=dm_password)
- mod = {'nssslpersonalityssl': cert_name}
- conn.update_entry(DN(('cn', 'RSA'), ('cn', 'encryption'), ('cn', 'config')), mod)
- conn.disconnect()
-
-def import_cert(dirname, pkcs12_fname, pkcs12_passwd, db_password):
- [pw_fd, pw_name] = tempfile.mkstemp()
- os.write(pw_fd, pkcs12_passwd)
- os.close(pw_fd)
-
- try:
- server_cert = installutils.check_pkcs12(
- pkcs12_info=(pkcs12_fname, pw_name),
- ca_file=CACERT,
- hostname=api.env.host)
- except admintool.ScriptError, e:
- print str(e)
- sys.exit(1)
-
- cdb = certs.CertDB(api.env.realm, nssdir=dirname)
- cdb.create_passwd_file(db_password)
- cdb.create_certdbs()
-
- try:
- try:
- cdb.nssdb.import_pem_cert('CA', 'CT,CT,', CACERT)
- cdb.import_pkcs12(pkcs12_fname, pw_name)
- except RuntimeError, e:
- print str(e)
- sys.exit(1)
- finally:
- os.remove(pw_name)
-
- return server_cert
-
-def main():
- if os.geteuid() != 0:
- sys.exit("\nYou must be root to run this script.\n")
-
- installutils.check_server_configuration()
-
- options, pkcs12_fname = parse_options()
-
- cfg = dict(in_server=True,)
-
- standard_logging_setup("/var/log/ipa/default.log")
-
- api.bootstrap(**cfg)
- api.finalize()
-
- try:
- if options.dirsrv:
- dm_password = installutils.read_password("Directory Manager",
- confirm=False, validate=False, retry=False)
- if dm_password is None:
- sys.exit("Directory Manager password required")
- realm = get_realm_name()
- dirname = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm))
- fd = open(dirname + "/pwdfile.txt")
- passwd = fd.read()
- fd.close()
-
- server_cert = import_cert(dirname, pkcs12_fname, options.dirsrv_pin, passwd)
- set_ds_cert_name(server_cert, dm_password)
-
- if options.http:
- dirname = certs.NSS_DIR
- server_cert = import_cert(dirname, pkcs12_fname, options.http_pin, "")
- installutils.set_directive(httpinstance.NSS_CONF, 'NSSNickname', server_cert)
-
- # Fix the database permissions
- os.chmod(dirname + "/cert8.db", 0640)
- os.chmod(dirname + "/key3.db", 0640)
- os.chmod(dirname + "/secmod.db", 0640)
-
- pent = pwd.getpwnam("apache")
- os.chown(dirname + "/cert8.db", 0, pent.pw_gid )
- os.chown(dirname + "/key3.db", 0, pent.pw_gid )
- os.chown(dirname + "/secmod.db", 0, pent.pw_gid )
-
- except Exception, e:
- traceback.print_exc(file=sys.stderr)
- sys.exit("an unexpected error occurred: %s" % str(e))
-
- return 0
-
-if __name__ == '__main__':
- installutils.run_script(main, operation_name='ipa-server-certinstall')
+ServerCertInstall.run_cli()
diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py
new file mode 100644
index 000000000..8eff3ee16
--- /dev/null
+++ b/ipaserver/install/ipa_server_certinstall.py
@@ -0,0 +1,154 @@
+#! /usr/bin/python
+# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
+# Jan Cholasta <jcholast@redhat.com>
+#
+# Copyright (C) 2007-2013 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import sys
+import os
+import os.path
+import pwd
+
+from ipapython import admintool
+from ipapython.dn import DN
+from ipapython.ipautil import user_input, write_tmp_file
+from ipalib import api
+from ipaserver.install import certs, dsinstance, httpinstance, installutils
+from ipaserver.plugins.ldap2 import ldap2
+
+CACERT = "/etc/ipa/ca.crt"
+
+class ServerCertInstall(admintool.AdminTool):
+ command_name = 'ipa-server-certinstall'
+
+ usage = "%prog [options]"
+
+ description = "Install new SSL server certificates."
+
+ @classmethod
+ def add_options(cls, parser):
+ super(ServerCertInstall, cls).add_options(parser)
+
+ parser.add_option(
+ "-d", "--dirsrv",
+ dest="dirsrv", action="store_true", default=False,
+ help="install certificate for the directory server")
+ parser.add_option(
+ "-w", "--http",
+ dest="http", action="store_true", default=False,
+ help="install certificate for the http server")
+ parser.add_option(
+ "--dirsrv_pin",
+ dest="dirsrv_pin",
+ help="The password of the Directory Server PKCS#12 file")
+ parser.add_option(
+ "--http_pin",
+ dest="http_pin",
+ help="The password of the Apache Server PKCS#12 file")
+
+ def validate_options(self):
+ super(ServerCertInstall, self).validate_options(needs_root=True)
+
+ installutils.check_server_configuration()
+
+ if not self.options.dirsrv and not self.options.http:
+ self.option_parser.error("you must specify dirsrv and/or http")
+ if ((self.options.dirsrv and not self.options.dirsrv_pin) or
+ (self.options.http and not self.options.http_pin)):
+ self.option_parser.error("you must provide the password for the "
+ "PKCS#12 file")
+
+ if len(self.args) != 1:
+ self.option_parser.error("you must provide a pkcs12 filename")
+
+ def ask_for_options(self):
+ super(ServerCertInstall, self).ask_for_options()
+
+ if self.options.dirsrv:
+ self.dm_password = installutils.read_password(
+ "Directory Manager", confirm=False, validate=False, retry=False)
+ if self.dm_password is None:
+ raise admintool.ScriptError(
+ "Directory Manager password required")
+
+ def run(self):
+ api.bootstrap(in_server=True)
+ api.finalize()
+
+ self.pkcs12_fname = self.args[0]
+
+ if self.options.dirsrv:
+ self.install_dirsrv_cert()
+
+ if self.options.http:
+ self.install_http_cert()
+
+ def install_dirsrv_cert(self):
+ serverid = dsinstance.realm_to_serverid(api.env.realm)
+ dirname = dsinstance.config_dirname(serverid)
+
+ pwdfile = os.path.join(dirname, 'pwdfile.txt')
+ with open(pwdfile) as fd:
+ passwd = fd.read()
+
+ server_cert = self.import_cert(dirname, self.options.dirsrv_pin, passwd)
+
+ conn = ldap2(shared_instance=False, base_dn='')
+ conn.connect(bind_dn=DN(('cn', 'directory manager')),
+ bind_pw=self.dm_password)
+
+ entry = conn.make_entry(DN(('cn', 'RSA'), ('cn', 'encryption'),
+ ('cn', 'config')),
+ nssslpersonalityssl=[server_cert])
+ conn.update_entry(entry)
+
+ conn.disconnect()
+
+ def install_http_cert(self):
+ dirname = certs.NSS_DIR
+
+ server_cert = self.import_cert(dirname, self.options.http_pin, "")
+
+ installutils.set_directive(httpinstance.NSS_CONF,
+ 'NSSNickname', server_cert)
+
+ # Fix the database permissions
+ os.chmod(os.path.join(dirname, 'cert8.db'), 0640)
+ os.chmod(os.path.join(dirname, 'key3.db'), 0640)
+ os.chmod(os.path.join(dirname, 'secmod.db'), 0640)
+
+ pent = pwd.getpwnam("apache")
+ os.chown(os.path.join(dirname, 'cert8.db'), 0, pent.pw_gid)
+ os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid)
+ os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid)
+
+ def import_cert(self, dirname, pkcs12_passwd, db_password):
+ pw = write_tmp_file(pkcs12_passwd)
+ server_cert = installutils.check_pkcs12(
+ pkcs12_info=(self.pkcs12_fname, pw.name),
+ ca_file=CACERT,
+ hostname=api.env.host)
+
+ cdb = certs.CertDB(api.env.realm, nssdir=dirname)
+ try:
+ cdb.create_from_pkcs12(self.pkcs12_fname, pw.name,
+ db_password, CACERT)
+ except RuntimeError, e:
+ raise admintool.ScriptError(str(e))
+
+ return server_cert