1 files changed, 96 insertions, 0 deletions
diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert
new file mode 100644
index 000000000..2fcf1a79b
--- /dev/null
+++ b/install/restart_scripts/renew_ra_cert
@@ -0,0 +1,96 @@
+#!/usr/bin/python -E
+#
+# Authors:
+#   Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2012  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import sys
+import shutil
+import tempfile
+import syslog
+from ipapython import services as ipaservices
+from ipapython.certmonger import get_pin
+from ipapython import ipautil
+from ipaserver.install import certs
+from ipaserver.install.cainstance import DEFAULT_DSPORT
+from ipalib import api
+from ipalib.dn import DN
+from ipalib import x509
+from ipalib import errors
+from ipaserver.plugins.ldap2 import ldap2
+
+api.bootstrap(context='restart')
+api.finalize()
+
+# Fetch the new certificate
+db = certs.CertDB(api.env.realm)
+cert = db.get_cert_from_db('ipaCert', pem=False)
+serial_number = x509.get_serial_number(cert, datatype=x509.DER)
+subject = x509.get_subject(cert, datatype=x509.DER)
+issuer = x509.get_issuer(cert, datatype=x509.DER)
+
+# Load it into dogtag
+dn = str(DN(('uid','ipara'),('ou','People'),('o','ipaca')))
+
+try:
+    dm_password = get_pin('internaldb')
+except IOError, e:
+    syslog.syslog(syslog.LOG_ERR, 'Unable to determine PIN for CA instance: %s' % e)
+    sys.exit(1)
+
+try:
+    conn = ldap2(shared_instance=False, ldap_uri='ldap://localhost:%d' % DEFAULT_DSPORT)
+    conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
+    (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'], normalize=False)
+    entry_attrs['usercertificate'].append(cert)
+    entry_attrs['description'] = '2;%d;%s;%s' % (serial_number, issuer, subject)
+    conn.update_entry(dn, entry_attrs, normalize=False)
+    conn.disconnect()
+except Exception, e:
+    syslog.syslog(syslog.LOG_ERR, 'Updating agent entry failed: %s' % e)
+    sys.exit(1)
+
+# Store it in the IPA LDAP server
+tmpdir = tempfile.mkdtemp(prefix = "tmp-")
+try:
+    dn = str(DN(('cn','ipaCert'),('cn=ca_renewal,cn=ipa,cn=etc'),(api.env.basedn)))
+    principal = str('host/%s@%s' % (api.env.host, api.env.realm))
+    ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal)
+    conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri)
+    conn.connect(ccache=ccache)
+    try:
+        (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'])
+        entry_attrs['usercertificate'] = cert
+        conn.update_entry(dn, entry_attrs, normalize=False)
+    except errors.NotFound:
+        entry_attrs = dict(objectclass=['top', 'pkiuser', 'nscontainer'],
+                                        usercertificate=cert)
+        conn.add_entry(dn, entry_attrs, normalize=False)
+    except errors.EmptyModlist:
+        pass
+    conn.disconnect()
+except Exception, e:
+    syslog.syslog(syslog.LOG_ERR, 'Updating renewal certificate failed: %s' % e)
+finally:
+    shutil.rmtree(tmpdir)
+
+# Now restart Apache so the new certificate is available
+try:
+    ipaservices.knownservices.httpd.restart()
+except Exception, e:
+    syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % str(e))