diff options
Diffstat (limited to 'install/certmonger')
-rw-r--r-- | install/certmonger/Makefile.am | 14 | ||||
-rw-r--r-- | install/certmonger/dogtag-ipa-retrieve-agent-submit | 80 |
2 files changed, 94 insertions, 0 deletions
diff --git a/install/certmonger/Makefile.am b/install/certmonger/Makefile.am new file mode 100644 index 000000000..2023a2aec --- /dev/null +++ b/install/certmonger/Makefile.am @@ -0,0 +1,14 @@ +NULL = + +appdir = $(libexecdir)/certmonger/ +app_SCRIPTS = \ + dogtag-ipa-retrieve-agent-submit \ + $(NULL) + +EXTRA_DIST = \ + $(app_SCRIPTS) \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + Makefile.in diff --git a/install/certmonger/dogtag-ipa-retrieve-agent-submit b/install/certmonger/dogtag-ipa-retrieve-agent-submit new file mode 100644 index 000000000..24e1844a5 --- /dev/null +++ b/install/certmonger/dogtag-ipa-retrieve-agent-submit @@ -0,0 +1,80 @@ +#!/usr/bin/python -E +# +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# +# Copyright (C) 2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# The certificate rewewal is done on only one dogtag CA. The others +# retrieve the updated certificate from IPA. + +import os +import sys +import shutil +import tempfile +import krbV +import syslog +from ipalib import api +from ipalib.dn import DN +from ipalib import errors +from ipalib import x509 +from ipapython import services as ipaservices +from ipapython import ipautil +from ipaserver.install import certs +from ipaserver.plugins.ldap2 import ldap2 +import base64 + +# We cheat and pass in the nickname as the CA profile to execute against. +# Some way is needed to determine which entry to retrieve from LDAP +operation = os.environ.get('CERTMONGER_OPERATION') +nickname = os.environ.get('CERTMONGER_CA_PROFILE') + +if operation not in ['SUBMIT', 'POLL']: + sys.exit(6) # unsupported operation + +api.bootstrap(context='renew') +api.finalize() + +# Update or add it +tmpdir = tempfile.mkdtemp(prefix = "tmp-") +try: + dn = str(DN(('cn',nickname),('cn=ca_renewal,cn=ipa,cn=etc'),(api.env.basedn))) + principal = str('host/%s@%s' % (api.env.host, api.env.realm)) + ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal) + conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri) + conn.connect(ccache=ccache) + try: + syslog.syslog(syslog.LOG_NOTICE, "Updating certificate for %s" % nickname) + (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate']) + cert = entry_attrs['usercertificate'][0] + cert = base64.b64encode(cert) + print x509.make_pem(cert) + except errors.NotFound: + syslog.syslog(syslog.LOG_INFO, "Updated certificate for %s not available" % nickname) + # No cert available yet, tell certmonger to wait another 8 hours + print 8 * 60 * 60 + sys.exit(5) + finally: + conn.disconnect() +except Exception, e: + syslog.syslog(syslog.LOG_ERR, "Exception trying to retrieve %s: %s" % (nickname, e)) + # Unhandled error + sys.exit(3) +finally: + shutil.rmtree(tmpdir) + +sys.exit(0) |