install/restart_scripts/renew_ra_cert


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89

#!/usr/bin/python2 -E
#
# Authors:
#   Rob Crittenden <rcritten@redhat.com>
#   Jan Cholasta <jcholast@redhat.com>
#
# Copyright (C) 2013  Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import sys
import os
import syslog
import tempfile
import shutil
import traceback

from cryptography.hazmat.primitives import serialization

from ipalib.install.kinit import kinit_keytab
from ipalib import api, x509
from ipaserver.install import certs, cainstance
from ipaplatform.paths import paths


def _main():
    api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
    api.finalize()
    api.Backend.ldap2.connect()

    tmpdir = tempfile.mkdtemp(prefix="tmp-")
    try:
        principal = str('host/%s@%s' % (api.env.host, api.env.realm))
        ccache_filename = os.path.join(tmpdir, 'ccache')
        kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)
        os.environ['KRB5CCNAME'] = ccache_filename

        ca = cainstance.CAInstance(host_name=api.env.host)
        ra_certpath = paths.RA_AGENT_PEM
        if ca.is_renewal_master():
            # Fetch the new certificate
            try:
                cert = x509.load_certificate_from_file(ra_certpath)
            except IOError as e:
                syslog.syslog(
                    syslog.LOG_ERR, "Can't open '{certpath}': {err}"
                    .format(certpath=ra_certpath, err=e)
                )
                sys.exit(1)
            except (TypeError, ValueError):
                syslog.syslog(
                    syslog.LOG_ERR, "'{certpath}' is not a valid certificate "
                    "file".format(certpath=ra_certpath)
                )
                sys.exit(1)

            dercert = cert.public_bytes(serialization.Encoding.DER)

            # Load it into dogtag
            cainstance.update_people_entry(dercert)
    finally:
        shutil.rmtree(tmpdir)
        api.Backend.ldap2.disconnect()


def main():
    try:
        _main()
    finally:
        # lock acquired in renew_ra_cert_pre
        certs.renewal_lock.release('renew_ra_cert')


try:
    main()
except Exception:
    syslog.syslog(syslog.LOG_ERR, traceback.format_exc())