diff options
Diffstat (limited to 'install/restart_scripts/renew_ca_cert')
-rw-r--r-- | install/restart_scripts/renew_ca_cert | 93 |
1 files changed, 93 insertions, 0 deletions
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert new file mode 100644 index 000000000..d3b756042 --- /dev/null +++ b/install/restart_scripts/renew_ca_cert @@ -0,0 +1,93 @@ +#!/usr/bin/python -E +# +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# +# Copyright (C) 2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os +import sys +import shutil +import tempfile +import krbV +import syslog +from ipalib import api +from ipalib.dn import DN +from ipalib import errors +from ipapython import services as ipaservices +from ipapython import ipautil +from ipaserver.install import certs +from ipaserver.plugins.ldap2 import ldap2 +from ipaserver.install.cainstance import update_cert_config + +nickname = sys.argv[1] + +api.bootstrap(context='restart') +api.finalize() + +# Fetch the new certificate +db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias') +cert = db.get_cert_from_db(nickname, pem=False) + +if not cert: + syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname) + sys.exit(1) + +# Update or add it +tmpdir = tempfile.mkdtemp(prefix = "tmp-") +try: + dn = str(DN(('cn',nickname),('cn=ca_renewal,cn=ipa,cn=etc'),(api.env.basedn))) + principal = str('host/%s@%s' % (api.env.host, api.env.realm)) + ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal) + conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri) + conn.connect(ccache=ccache) + try: + (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate']) + entry_attrs['usercertificate'] = cert + conn.update_entry(dn, entry_attrs, normalize=False) + except errors.NotFound: + entry_attrs = dict(objectclass=['top', 'pkiuser', 'nscontainer'], + usercertificate=cert) + conn.add_entry(dn, entry_attrs, normalize=False) + except errors.EmptyModlist: + pass + conn.disconnect() +except Exception, e: + syslog.syslog(syslog.LOG_ERR, 'Updating renewal certificate failed: %s' % e) +finally: + shutil.rmtree(tmpdir) + +# Fix permissions on the audit cert if we're updating it +if nickname == 'auditSigningCert cert-pki-ca': + db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias') + args = ['-M', + '-n', nickname, + '-t', 'u,u,Pu', + ] + try: + db.run_certutil(args) + except ipautil.CalledProcessError: + syslog.syslog(syslog.LOG_ERR, 'Updating trust on certificate %s failed in %s' % (nickname, db.secdir)) + +update_cert_config(nickname, cert) + +syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted pki-cad instance pki-ca') + +try: + ipaservices.knownservices.pki_cad.restart('pki-ca') +except Exception, e: + syslog.syslog(syslog.LOG_ERR, "Cannot restart pki-cad: %s" % str(e)) |