diff options
author | Jan Cholasta <jcholast@redhat.com> | 2014-10-07 16:46:15 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-10-10 08:48:25 +0200 |
commit | 92a08266afb565bd50a8f059ef40f3d727fc2466 (patch) | |
tree | 64d7be7f424e66c44364a397ae5a958ed6cc1ec6 | |
parent | cf956fa998d6a849aba928a361f6c5d568d65189 (diff) | |
download | freeipa-92a08266afb565bd50a8f059ef40f3d727fc2466.tar.gz freeipa-92a08266afb565bd50a8f059ef40f3d727fc2466.tar.xz freeipa-92a08266afb565bd50a8f059ef40f3d727fc2466.zip |
Fix certmonger configuration in installer code
https://fedorahosted.org/freeipa/ticket/4619
Reviewed-By: David Kupka <dkupka@redhat.com>
-rwxr-xr-x | install/tools/ipa-server-install | 5 | ||||
-rw-r--r-- | install/tools/ipa-upgradeconfig | 2 | ||||
-rw-r--r-- | ipaserver/install/cainstance.py | 87 | ||||
-rw-r--r-- | ipaserver/install/dogtaginstance.py | 77 | ||||
-rw-r--r-- | ipaserver/install/ipa_kra_install.py | 2 | ||||
-rw-r--r-- | ipaserver/install/krainstance.py | 9 |
6 files changed, 78 insertions, 104 deletions
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 89d73304f..f394f1e3c 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -561,14 +561,13 @@ def uninstall(): kra_instance = krainstance.KRAInstance( api.env.realm, dogtag_constants=dogtag_constants) - kra_instance.stop_tracking_certificates(dogtag_constants) + kra_instance.stop_tracking_certificates() if kra_instance.is_installed(): kra_instance.uninstall() ca_instance = cainstance.CAInstance( api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants) - ca_instance.stop_tracking_certificates(dogtag_constants) - ca_instance.stop_tracking_agent_certificate(dogtag_constants) + ca_instance.stop_tracking_certificates() if ca_instance.is_configured(): ca_instance.uninstall() diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 3914eb590..339dcb9ec 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -727,7 +727,7 @@ def certificate_renewal_update(ca): # Ok, now we need to stop tracking, then we can start tracking them # again with new configuration: - ca.stop_tracking_certificates(dogtag_constants) + ca.stop_tracking_certificates() if not sysupgrade.get_upgrade_state('dogtag', 'certificate_renewal_update_1'): diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 3a296f589..cbb9e2cf0 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -330,6 +330,12 @@ class CAInstance(DogtagInstance): 2 = have signed cert, continue installation """ + tracking_reqs = (('auditSigningCert cert-pki-ca', None), + ('ocspSigningCert cert-pki-ca', None), + ('subsystemCert cert-pki-ca', None), + ('caSigningCert cert-pki-ca', 'ipaCACertRenewal')) + server_cert_name = 'Server-Cert cert-pki-ca' + def __init__(self, realm=None, ra_db=None, dogtag_constants=None, host_name=None, dm_password=None, ldapi=True): if dogtag_constants is None: @@ -363,11 +369,6 @@ class CAInstance(DogtagInstance): self.ra_agent_pwd = None self.ra_cert = None self.requestId = None - self.tracking_reqs = (('Server-Cert cert-pki-ca', None), - ('auditSigningCert cert-pki-ca', None), - ('ocspSigningCert cert-pki-ca', None), - ('subsystemCert cert-pki-ca', None), - ('caSigningCert cert-pki-ca', 'ipaCACertRenewal')) self.log = log_mgr.get_logger(self) def configure_instance(self, host_name, domain, dm_password, @@ -452,7 +453,7 @@ class CAInstance(DogtagInstance): self.step("issuing RA agent certificate", self.__issue_ra_cert) self.step("adding RA agent as a trusted user", self.__configure_ra) self.step("configure certmonger for renewals", self.configure_certmonger_renewal) - self.step("configure certificate renewals", self.configure_cert_renewal) + self.step("configure certificate renewals", self.configure_renewal) if not self.clone: self.step("configure RA certificate renewal", self.configure_agent_renewal) self.step("configure Server-Cert certificate renewal", self.track_servercert) @@ -1311,27 +1312,6 @@ class CAInstance(DogtagInstance): fd.close() os.chmod(location, 0444) - @staticmethod - def configure_certmonger_renewal(): - """ - Create a new CA type for certmonger that will retrieve updated - certificates from the dogtag master server. - """ - services.knownservices.messagebus.start() - cmonger = services.knownservices.certmonger - cmonger.enable() - cmonger.start() - - bus = dbus.SystemBus() - obj = bus.get_object('org.fedorahosted.certmonger', - '/org/fedorahosted/certmonger') - iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') - path = iface.find_ca_by_nickname('dogtag-ipa-ca-renew-agent') - if not path: - iface.add_known_ca( - 'dogtag-ipa-ca-renew-agent', - paths.DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT, []) - def configure_agent_renewal(self): try: certmonger.dogtag_start_tracking( @@ -1346,61 +1326,18 @@ class CAInstance(DogtagInstance): self.log.error( "certmonger failed to start tracking certificate: %s", e) - def __get_ca_pin(self): - try: - return certmonger.get_pin( - 'internal', - dogtag_constants=self.dogtag_constants) - except IOError, e: - raise RuntimeError( - 'Unable to determine PIN for CA instance: %s' % e) - - def configure_cert_renewal(self): - """ - Configure system certificates for renewal. - """ - reqs = ( - ('auditSigningCert cert-pki-ca', None), - ('ocspSigningCert cert-pki-ca', None), - ('subsystemCert cert-pki-ca', None), - ('caSigningCert cert-pki-ca', 'ipaCACertRenewal'), - ) - - DogtagInstance.configure_renewal(self, reqs) - - def track_servercert(self): - """ - Specifically do not tell certmonger to restart the CA. This will be - done by the renewal script, renew_ca_cert once all the subsystem - certificates are renewed. + def stop_tracking_certificates(self): + """Stop tracking our certificates. Called on uninstall. """ - pin = self.__get_ca_pin() - try: - certmonger.dogtag_start_tracking( - ca='dogtag-ipa-renew-agent', - nickname='Server-Cert cert-pki-ca', - pin=pin, - pinfile=None, - secdir=self.dogtag_constants.ALIAS_DIR, - pre_command=None, - post_command=None) - except RuntimeError, e: - self.log.error( - "certmonger failed to start tracking certificate: %s", e) + super(CAInstance, self).stop_tracking_certificates(False) - @staticmethod - def stop_tracking_agent_certificate(dogtag_constants): - """Stop tracking agent certificate. Called on uninstall. - """ - cmonger = services.knownservices.certmonger - services.knownservices.messagebus.start() - cmonger.start() try: certmonger.stop_tracking(paths.HTTPD_ALIAS_DIR, nickname='ipaCert') except RuntimeError, e: root_logger.error( "certmonger failed to stop tracking certificate: %s", e) - cmonger.stop() + + services.knownservices.certmonger.stop() def enable_subject_key_identifier(self): """ diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 174b538aa..c9c34bd0b 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -22,6 +22,7 @@ import os import shutil import tempfile import traceback +import dbus from pki.client import PKIConnection import pki.system @@ -96,6 +97,9 @@ class DogtagInstance(service.Service): CA, KRA, and eventually TKS and TPS. """ + tracking_reqs = None + server_cert_name = None + def __init__(self, realm, subsystem, service_desc, dogtag_constants=None, host_name=None, dm_password=None, ldapi=True): """Initializer""" @@ -126,7 +130,6 @@ class DogtagInstance(service.Service): self.server_root = dogtag_constants.SERVER_ROOT self.subsystem = subsystem self.security_domain_name = "IPA" - self.tracking_reqs = None # replication parameters self.master_host = None @@ -293,6 +296,27 @@ class DogtagInstance(service.Service): with open(paths.HTTPD_IPA_PKI_PROXY_CONF, "w") as fd: fd.write(template) + @staticmethod + def configure_certmonger_renewal(): + """ + Create a new CA type for certmonger that will retrieve updated + certificates from the dogtag master server. + """ + cmonger = services.knownservices.certmonger + cmonger.enable() + services.knownservices.messagebus.start() + cmonger.start() + + bus = dbus.SystemBus() + obj = bus.get_object('org.fedorahosted.certmonger', + '/org/fedorahosted/certmonger') + iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') + path = iface.find_ca_by_nickname('dogtag-ipa-ca-renew-agent') + if not path: + iface.add_known_ca( + 'dogtag-ipa-ca-renew-agent', + paths.DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT, []) + def __get_pin(self): try: return certmonger.get_pin('internal', @@ -302,22 +326,11 @@ class DogtagInstance(service.Service): 'Unable to determine PIN for the Dogtag instance: %s', e) raise RuntimeError(e) - def configure_renewal(self, reqs=None): - """ Configure certmonger to renew system certs - - @param reqs: list of nicknames and profiles - """ - cmonger = services.knownservices.certmonger - cmonger.enable() - services.knownservices.messagebus.start() - cmonger.start() - + def configure_renewal(self): + """ Configure certmonger to renew system certs """ pin = self.__get_pin() - if reqs is None: - reqs = self.tracking_reqs - - for nickname, profile in reqs: + for nickname, profile in self.tracking_reqs: try: certmonger.dogtag_start_tracking( ca='dogtag-ipa-ca-renew-agent', @@ -332,7 +345,27 @@ class DogtagInstance(service.Service): self.log.error( "certmonger failed to start tracking certificate: %s", e) - def stop_tracking_certificates(self, dogtag_constants, reqs=None): + def track_servercert(self): + """ + Specifically do not tell certmonger to restart the CA. This will be + done by the renewal script, renew_ca_cert once all the subsystem + certificates are renewed. + """ + pin = self.__get_pin() + try: + certmonger.dogtag_start_tracking( + ca='dogtag-ipa-renew-agent', + nickname=self.server_cert_name, + pin=pin, + pinfile=None, + secdir=self.dogtag_constants.ALIAS_DIR, + pre_command=None, + post_command=None) + except RuntimeError, e: + self.log.error( + "certmonger failed to start tracking certificate: %s" % e) + + def stop_tracking_certificates(self, stop_certmonger=True): """Stop tracking our certificates. Called on uninstall. """ self.print_msg( @@ -343,18 +376,20 @@ class DogtagInstance(service.Service): services.knownservices.messagebus.start() cmonger.start() - if reqs is None: - reqs = self.tracking_reqs + nicknames = [nickname for nickname, profile in self.tracking_reqs] + if self.server_cert_name is not None: + nicknames.append(self.server_cert_name) - for nickname, _profile in reqs: + for nickname in nicknames: try: certmonger.stop_tracking( - dogtag_constants.ALIAS_DIR, nickname=nickname) + self.dogtag_constants.ALIAS_DIR, nickname=nickname) except RuntimeError, e: self.log.error( "certmonger failed to stop tracking certificate: %s", e) - cmonger.stop() + if stop_certmonger: + cmonger.stop() @staticmethod def update_cert_cs_cfg(nickname, cert, directives, cs_cfg, diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py index 207b8c412..099737fa9 100644 --- a/ipaserver/install/ipa_kra_install.py +++ b/ipaserver/install/ipa_kra_install.py @@ -122,7 +122,7 @@ class KRAUninstaller(KRAInstall): kra_instance = krainstance.KRAInstance( api.env.realm, dogtag_constants=dogtag_constants) - kra_instance.stop_tracking_certificates(dogtag_constants) + kra_instance.stop_tracking_certificates() if kra_instance.is_installed(): kra_instance.uninstall() diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index 182e8e034..1af1c0f72 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -52,6 +52,10 @@ class KRAInstance(DogtagInstance): be the same for both the CA and KRA. """ + tracking_reqs = (('auditSigningCert cert-pki-kra', None), + ('transportCert cert-pki-kra', None), + ('storageCert cert-pki-kra', None)) + def __init__(self, realm, dogtag_constants=None): if dogtag_constants is None: dogtag_constants = dogtag.configured_constants() @@ -64,9 +68,6 @@ class KRAInstance(DogtagInstance): ) self.basedn = DN(('o', 'kra'), ('o', 'ipaca')) - self.tracking_reqs = (('auditSigningCert cert-pki-kra', None), - ('transportCert cert-pki-kra', None), - ('storageCert cert-pki-kra', None)) self.log = log_mgr.get_logger(self) def configure_instance(self, host_name, domain, dm_password, @@ -111,6 +112,8 @@ class KRAInstance(DogtagInstance): self.step("add RA user to KRA agent group", self.__add_ra_user_to_agent_group) self.step("restarting KRA", self.restart_instance) + self.step("configure certmonger for renewals", + self.configure_certmonger_renewal) self.step("configure certificate renewals", self.configure_renewal) self.step("Configure HTTP to proxy connections", self.http_proxy) |