diff options
Diffstat (limited to 'install')
-rwxr-xr-x | install/certmonger/dogtag-ipa-ca-renew-agent-submit | 10 | ||||
-rw-r--r-- | install/restart_scripts/renew_ra_cert | 30 |
2 files changed, 25 insertions, 15 deletions
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 2e67c7e5a..cc690b8fa 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -217,10 +217,12 @@ def request_cert(): syslog.syslog(syslog.LOG_NOTICE, "Forwarding request to dogtag-ipa-renew-agent") - path = paths.DOGTAG_IPA_RENEW_AGENT_SUBMIT - args = [path, '--dbdir', paths.IPA_RADB_DIR] - args.extend(sys.argv[1:]) - args.extend(['--submit-option', "requestor_name=IPA"]) + args = ([paths.DOGTAG_IPA_RENEW_AGENT_SUBMIT, + "--cafile", paths.IPA_CA_CRT, + "--certfile", paths.RA_AGENT_PEM, + "--keyfile", paths.RA_AGENT_KEY] + + sys.argv[1:] + + ['--submit-option', "requestor_name=IPA"]) if os.environ.get('CERTMONGER_CA_PROFILE') == 'caCACert': args += ['-N', '-O', 'bypassCAnotafter=true'] result = ipautil.run(args, raiseonerr=False, env=os.environ, diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert index 4dc6c2e4f..5c71d5791 100644 --- a/install/restart_scripts/renew_ra_cert +++ b/install/restart_scripts/renew_ra_cert @@ -27,15 +27,15 @@ import tempfile import shutil import traceback +from cryptography.hazmat.primitives import serialization + from ipalib.install.kinit import kinit_keytab -from ipalib import api -from ipaserver.install import certs, cainstance, dogtaginstance +from ipalib import api, x509 +from ipaserver.install import certs, cainstance from ipaplatform.paths import paths def _main(): - nickname = 'ipaCert' - api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) api.finalize() api.Backend.ldap2.connect() @@ -48,20 +48,28 @@ def _main(): os.environ['KRB5CCNAME'] = ccache_filename ca = cainstance.CAInstance(host_name=api.env.host) + ra_certpath = paths.RA_AGENT_PEM if ca.is_renewal_master(): # Fetch the new certificate - db = certs.CertDB(api.env.realm) - dercert = db.get_cert_from_db(nickname, pem=False) - if not dercert: + try: + cert = x509.load_certificate_from_file(ra_certpath) + except IOError as e: + syslog.syslog( + syslog.LOG_ERR, "Can't open '{certpath}': {err}" + .format(certpath=ra_certpath, err=e) + ) + sys.exit(1) + except (TypeError, ValueError): syslog.syslog( - syslog.LOG_ERR, "No certificate %s found." % nickname) + syslog.LOG_ERR, "'{certpath}' is not a valid certificate " + "file".format(certpath=ra_certpath) + ) sys.exit(1) + dercert = cert.public_bytes(serialization.Encoding.DER) + # Load it into dogtag cainstance.update_people_entry(dercert) - - if api.Command.kra_is_enabled()['result']: - dogtaginstance.export_ra_agent_pem() finally: shutil.rmtree(tmpdir) api.Backend.ldap2.disconnect() |