ipa-certupdate: track lightweight CA certificates

Enhance the ipa-certupdate program to add Certmonger tracking requests for lightweight CA certificates. Also update the dogtag-ipa-ca-renew-agent-submit to not store or retrieve lightweight CA certificates, becaues Dogtag clones observe renewals and update their NSSDBs on their own, and allow the helper to request non-self-signed certificates. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
author: Fraser Tweedale <ftweedal@redhat.com> 2016-06-21 15:01:41 +1000
committer: Jan Cholasta <jcholast@redhat.com> 2016-06-29 08:52:29 +0200
commit: 0078e7a9192a940104d8f6621b33d24d814c109b (patch)
tree: 378d84d9d1e72c0ffa51dbe3a40f62d4f4f91ad5 /ipaclient
parent: b720aa94e9317b857734c08a69fe2dcc0d95bf68 (diff)
download: freeipa-0078e7a9192a940104d8f6621b33d24d814c109b.tar.gz
freeipa-0078e7a9192a940104d8f6621b33d24d814c109b.tar.xz
freeipa-0078e7a9192a940104d8f6621b33d24d814c109b.zip
1 files changed, 48 insertions, 4 deletions
diff --git a/ipaclient/ipa_certupdate.py b/ipaclient/ipa_certupdate.py
index b9572196c..e59047a27 100644
--- a/ipaclient/ipa_certupdate.py
+++ b/ipaclient/ipa_certupdate.py
@@ -29,7 +29,10 @@ from ipaplatform import services
 from ipaplatform.paths import paths
 from ipaplatform.tasks import tasks
 from ipalib import api, errors, x509, certstore
+from ipalib.constants import IPA_CA_CN
 
+IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca'
+RENEWAL_CA_NAME = 'dogtag-ipa-ca-renew-agent'
 
 class CertUpdate(admintool.AdminTool):
     command_name = 'ipa-certupdate'
@@ -76,18 +79,27 @@ class CertUpdate(admintool.AdminTool):
                     version=u'2.0',
                 )
                 ca_enabled = result['result']['enable_ra']
-            api.Backend.rpcclient.disconnect()
 
             ldap.do_sasl_gssapi_bind()
 
             certs = certstore.get_ca_certs(ldap, api.env.basedn,
                                            api.env.realm, ca_enabled)
+
+            # find lightweight CAs (on renewal master only)
+            lwcas = []
+            for ca_obj in api.Command.ca_find()['result']:
+                if IPA_CA_CN not in ca_obj['cn']:
+                    lwcas.append(ca_obj)
+
+            api.Backend.rpcclient.disconnect()
         finally:
             shutil.rmtree(tmpdir)
 
         server_fstore = sysrestore.FileStore(paths.SYSRESTORE)
         if server_fstore.has_files():
             self.update_server(certs)
+            for entry in lwcas:
+                self.server_track_lightweight_ca(entry)
 
         self.update_client(certs)
 
@@ -122,11 +134,10 @@ class CertUpdate(admintool.AdminTool):
         if services.knownservices.httpd.is_running():
             services.knownservices.httpd.restart()
 
-        nickname = 'caSigningCert cert-pki-ca'
         criteria = {
             'cert-database': paths.PKI_TOMCAT_ALIAS_DIR,
-            'cert-nickname': nickname,
-            'ca-name': 'dogtag-ipa-ca-renew-agent',
+            'cert-nickname': IPA_CA_NICKNAME,
+            'ca-name': RENEWAL_CA_NAME
         }
         request_id = certmonger.get_request_id(criteria)
         if request_id is not None:
@@ -152,6 +163,39 @@ class CertUpdate(admintool.AdminTool):
 
         self.update_file(paths.CA_CRT, certs)
 
+    def server_track_lightweight_ca(self, entry):
+        nickname = "{} {}".format(IPA_CA_NICKNAME, entry['ipacaid'][0])
+        criteria = {
+            'cert-database': paths.PKI_TOMCAT_ALIAS_DIR,
+            'cert-nickname': nickname,
+            'ca-name': RENEWAL_CA_NAME,
+        }
+        request_id = certmonger.get_request_id(criteria)
+        if request_id is None:
+            try:
+                certmonger.dogtag_start_tracking(
+                    secdir=paths.PKI_TOMCAT_ALIAS_DIR,
+                    pin=certmonger.get_pin('internal'),
+                    pinfile=None,
+                    nickname=nickname,
+                    ca=RENEWAL_CA_NAME,
+                    pre_command='stop_pkicad',
+                    post_command='renew_ca_cert "%s"' % nickname,
+                )
+                request_id = certmonger.get_request_id(criteria)
+                certmonger.modify(request_id, profile='ipaCACertRenewal')
+                self.log.debug(
+                    'Lightweight CA renewal: '
+                    'added tracking request for "%s"', nickname)
+            except RuntimeError as e:
+                self.log.error(
+                    'Lightweight CA renewal: Certmonger failed to '
+                    'start tracking certificate: %s', e)
+        else:
+            self.log.debug(
+                'Lightweight CA renewal: '
+                'already tracking certificate "%s"', nickname)
+
     def update_file(self, filename, certs, mode=0o444):
         certs = (c[0] for c in certs if c[2] is not False)
         try:
author	Fraser Tweedale <ftweedal@redhat.com>	2016-06-21 15:01:41 +1000
committer	Jan Cholasta <jcholast@redhat.com>	2016-06-29 08:52:29 +0200
commit	0078e7a9192a940104d8f6621b33d24d814c109b (patch)
tree	378d84d9d1e72c0ffa51dbe3a40f62d4f4f91ad5 /ipaclient
parent	b720aa94e9317b857734c08a69fe2dcc0d95bf68 (diff)
download	freeipa-0078e7a9192a940104d8f6621b33d24d814c109b.tar.gz freeipa-0078e7a9192a940104d8f6621b33d24d814c109b.tar.xz freeipa-0078e7a9192a940104d8f6621b33d24d814c109b.zip