diff options
author | Jan Cholasta <jcholast@redhat.com> | 2014-07-18 11:01:13 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-07-30 16:04:21 +0200 |
commit | 7086183519bd82ef1e277ceb3ee45438c6695159 (patch) | |
tree | 8dd3dc02dc220a7829a414506333862234e591df /install/restart_scripts/renew_ra_cert | |
parent | e16d2623aee089f07854ffc32b976e45d17c03ff (diff) | |
download | freeipa-7086183519bd82ef1e277ceb3ee45438c6695159.tar.gz freeipa-7086183519bd82ef1e277ceb3ee45438c6695159.tar.xz freeipa-7086183519bd82ef1e277ceb3ee45438c6695159.zip |
Do not use ldapi in certificate renewal scripts.
This prevents SELinux denials when accessing the ldapi socket.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'install/restart_scripts/renew_ra_cert')
-rw-r--r-- | install/restart_scripts/renew_ra_cert | 35 |
1 files changed, 24 insertions, 11 deletions
diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert index fb4470588..6d4b81a53 100644 --- a/install/restart_scripts/renew_ra_cert +++ b/install/restart_scripts/renew_ra_cert @@ -22,11 +22,15 @@ import sys import syslog +import tempfile +import shutil import traceback +from ipapython import ipautil from ipalib import api from ipaserver.install import certs, cainstance from ipaplatform import services +from ipaplatform.paths import paths nickname = 'ipaCert' @@ -34,17 +38,26 @@ def main(): api.bootstrap(context='restart') api.finalize() - ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) - if ca.is_renewal_master(): - # Fetch the new certificate - db = certs.CertDB(api.env.realm) - dercert = db.get_cert_from_db(nickname, pem=False) - if not dercert: - syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname) - sys.exit(1) - - # Load it into dogtag - cainstance.update_people_entry(dercert) + tmpdir = tempfile.mkdtemp(prefix="tmp-") + try: + principal = str('host/%s@%s' % (api.env.host, api.env.realm)) + ccache = ipautil.kinit_hostprincipal(paths.KRB5_KEYTAB, tmpdir, + principal) + + ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False) + if ca.is_renewal_master(): + # Fetch the new certificate + db = certs.CertDB(api.env.realm) + dercert = db.get_cert_from_db(nickname, pem=False) + if not dercert: + syslog.syslog( + syslog.LOG_ERR, "No certificate %s found." % nickname) + sys.exit(1) + + # Load it into dogtag + cainstance.update_people_entry(dercert) + finally: + shutil.rmtree(tmpdir) # Now restart Apache so the new certificate is available syslog.syslog(syslog.LOG_NOTICE, "Restarting httpd") |