1 files changed, 93 insertions, 0 deletions
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
new file mode 100644
index 000000000..d3b756042
--- /dev/null
+++ b/install/restart_scripts/renew_ca_cert
@@ -0,0 +1,93 @@
+#!/usr/bin/python -E
+#
+# Authors:
+#   Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2012  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import sys
+import shutil
+import tempfile
+import krbV
+import syslog
+from ipalib import api
+from ipalib.dn import DN
+from ipalib import errors
+from ipapython import services as ipaservices
+from ipapython import ipautil
+from ipaserver.install import certs
+from ipaserver.plugins.ldap2 import ldap2
+from ipaserver.install.cainstance import update_cert_config
+
+nickname = sys.argv[1]
+
+api.bootstrap(context='restart')
+api.finalize()
+
+# Fetch the new certificate
+db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias')
+cert = db.get_cert_from_db(nickname, pem=False)
+
+if not cert:
+    syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname)
+    sys.exit(1)
+
+# Update or add it
+tmpdir = tempfile.mkdtemp(prefix = "tmp-")
+try:
+    dn = str(DN(('cn',nickname),('cn=ca_renewal,cn=ipa,cn=etc'),(api.env.basedn)))
+    principal = str('host/%s@%s' % (api.env.host, api.env.realm))
+    ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal)
+    conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri)
+    conn.connect(ccache=ccache)
+    try:
+        (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'])
+        entry_attrs['usercertificate'] = cert
+        conn.update_entry(dn, entry_attrs, normalize=False)
+    except errors.NotFound:
+        entry_attrs = dict(objectclass=['top', 'pkiuser', 'nscontainer'],
+                                        usercertificate=cert)
+        conn.add_entry(dn, entry_attrs, normalize=False)
+    except errors.EmptyModlist:
+        pass
+    conn.disconnect()
+except Exception, e:
+    syslog.syslog(syslog.LOG_ERR, 'Updating renewal certificate failed: %s' % e)
+finally:
+    shutil.rmtree(tmpdir)
+
+# Fix permissions on the audit cert if we're updating it
+if nickname == 'auditSigningCert cert-pki-ca':
+    db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias')
+    args = ['-M',
+            '-n', nickname,
+            '-t', 'u,u,Pu',
+           ]
+    try:
+        db.run_certutil(args)
+    except ipautil.CalledProcessError:
+        syslog.syslog(syslog.LOG_ERR, 'Updating trust on certificate %s failed in %s' % (nickname, db.secdir))
+
+update_cert_config(nickname, cert)
+
+syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted pki-cad instance pki-ca')
+
+try:
+    ipaservices.knownservices.pki_cad.restart('pki-ca')
+except Exception, e:
+    syslog.syslog(syslog.LOG_ERR, "Cannot restart pki-cad: %s" % str(e))