|
 |
403b09 |
From 01fcae3f99ba3368cb88418e14b6bbbe81bc555d Mon Sep 17 00:00:00 2001
|
|
|
403b09 |
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
403b09 |
Date: Tue, 23 Aug 2016 16:14:30 +1000
|
|
|
403b09 |
Subject: [PATCH] Track lightweight CAs on replica installation
|
|
|
403b09 |
|
|
|
403b09 |
Add Certmonger tracking requests for lightweight CAs on replica
|
|
|
403b09 |
installation. As part of this change, extract most of the
|
|
|
403b09 |
lightweight CA tracking code out of ipa-certupdate and into
|
|
|
403b09 |
cainstance.
|
|
|
403b09 |
|
|
|
403b09 |
Fixes: https://fedorahosted.org/freeipa/ticket/6019
|
|
|
403b09 |
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
403b09 |
---
|
|
|
403b09 |
ipaclient/ipa_certupdate.py | 53 ++++++---------------------------
|
|
|
403b09 |
ipalib/constants.py | 2 ++
|
|
|
403b09 |
ipaserver/install/cainstance.py | 66 +++++++++++++++++++++++++++++++++++++++++
|
|
|
403b09 |
3 files changed, 77 insertions(+), 44 deletions(-)
|
|
|
403b09 |
|
|
|
403b09 |
diff --git a/ipaclient/ipa_certupdate.py b/ipaclient/ipa_certupdate.py
|
|
|
403b09 |
index f340f32bcdca5f5d98177f7aa9af366b67d8dd80..4b97b85b83c8b1a130d6db9cdcc7a76fc569af9e 100644
|
|
|
403b09 |
--- a/ipaclient/ipa_certupdate.py
|
|
|
403b09 |
+++ b/ipaclient/ipa_certupdate.py
|
|
|
403b09 |
@@ -29,10 +29,8 @@ from ipaplatform import services
|
|
|
403b09 |
from ipaplatform.paths import paths
|
|
|
403b09 |
from ipaplatform.tasks import tasks
|
|
|
403b09 |
from ipalib import api, errors, x509, certstore
|
|
|
403b09 |
-from ipalib.constants import IPA_CA_CN
|
|
|
403b09 |
+from ipalib.constants import IPA_CA_NICKNAME, RENEWAL_CA_NAME
|
|
|
403b09 |
|
|
|
403b09 |
-IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca'
|
|
|
403b09 |
-RENEWAL_CA_NAME = 'dogtag-ipa-ca-renew-agent'
|
|
|
403b09 |
|
|
|
403b09 |
class CertUpdate(admintool.AdminTool):
|
|
|
403b09 |
command_name = 'ipa-certupdate'
|
|
|
403b09 |
@@ -85,12 +83,7 @@ class CertUpdate(admintool.AdminTool):
|
|
|
403b09 |
certs = certstore.get_ca_certs(ldap, api.env.basedn,
|
|
|
403b09 |
api.env.realm, ca_enabled)
|
|
|
403b09 |
|
|
|
403b09 |
- # find lightweight CAs (on renewal master only)
|
|
|
403b09 |
- lwcas = []
|
|
|
403b09 |
- if ca_enabled:
|
|
|
403b09 |
- for ca_obj in api.Command.ca_find()['result']:
|
|
|
403b09 |
- if IPA_CA_CN not in ca_obj['cn']:
|
|
|
403b09 |
- lwcas.append(ca_obj)
|
|
|
403b09 |
+ lwcas = api.Command.ca_find()['result']
|
|
|
403b09 |
|
|
|
403b09 |
api.Backend.rpcclient.disconnect()
|
|
|
403b09 |
finally:
|
|
|
403b09 |
@@ -99,8 +92,13 @@ class CertUpdate(admintool.AdminTool):
|
|
|
403b09 |
server_fstore = sysrestore.FileStore(paths.SYSRESTORE)
|
|
|
403b09 |
if server_fstore.has_files():
|
|
|
403b09 |
self.update_server(certs)
|
|
|
403b09 |
- for entry in lwcas:
|
|
|
403b09 |
- self.server_track_lightweight_ca(entry)
|
|
|
403b09 |
+ try:
|
|
|
403b09 |
+ from ipaserver.install import cainstance
|
|
|
403b09 |
+ cainstance.add_lightweight_ca_tracking_requests(
|
|
|
403b09 |
+ self.log, lwcas)
|
|
|
403b09 |
+ except Exception as e:
|
|
|
403b09 |
+ self.log.exception(
|
|
|
403b09 |
+ "Failed to add lightweight CA tracking requests")
|
|
|
403b09 |
|
|
|
403b09 |
self.update_client(certs)
|
|
|
403b09 |
|
|
|
403b09 |
@@ -164,39 +162,6 @@ class CertUpdate(admintool.AdminTool):
|
|
|
403b09 |
|
|
|
403b09 |
self.update_file(paths.CA_CRT, certs)
|
|
|
403b09 |
|
|
|
403b09 |
- def server_track_lightweight_ca(self, entry):
|
|
|
403b09 |
- nickname = "{} {}".format(IPA_CA_NICKNAME, entry['ipacaid'][0])
|
|
|
403b09 |
- criteria = {
|
|
|
403b09 |
- 'cert-database': paths.PKI_TOMCAT_ALIAS_DIR,
|
|
|
403b09 |
- 'cert-nickname': nickname,
|
|
|
403b09 |
- 'ca-name': RENEWAL_CA_NAME,
|
|
|
403b09 |
- }
|
|
|
403b09 |
- request_id = certmonger.get_request_id(criteria)
|
|
|
403b09 |
- if request_id is None:
|
|
|
403b09 |
- try:
|
|
|
403b09 |
- certmonger.dogtag_start_tracking(
|
|
|
403b09 |
- secdir=paths.PKI_TOMCAT_ALIAS_DIR,
|
|
|
403b09 |
- pin=certmonger.get_pin('internal'),
|
|
|
403b09 |
- pinfile=None,
|
|
|
403b09 |
- nickname=nickname,
|
|
|
403b09 |
- ca=RENEWAL_CA_NAME,
|
|
|
403b09 |
- pre_command='stop_pkicad',
|
|
|
403b09 |
- post_command='renew_ca_cert "%s"' % nickname,
|
|
|
403b09 |
- )
|
|
|
403b09 |
- request_id = certmonger.get_request_id(criteria)
|
|
|
403b09 |
- certmonger.modify(request_id, profile='ipaCACertRenewal')
|
|
|
403b09 |
- self.log.debug(
|
|
|
403b09 |
- 'Lightweight CA renewal: '
|
|
|
403b09 |
- 'added tracking request for "%s"', nickname)
|
|
|
403b09 |
- except RuntimeError as e:
|
|
|
403b09 |
- self.log.error(
|
|
|
403b09 |
- 'Lightweight CA renewal: Certmonger failed to '
|
|
|
403b09 |
- 'start tracking certificate: %s', e)
|
|
|
403b09 |
- else:
|
|
|
403b09 |
- self.log.debug(
|
|
|
403b09 |
- 'Lightweight CA renewal: '
|
|
|
403b09 |
- 'already tracking certificate "%s"', nickname)
|
|
|
403b09 |
-
|
|
|
403b09 |
def update_file(self, filename, certs, mode=0o444):
|
|
|
403b09 |
certs = (c[0] for c in certs if c[2] is not False)
|
|
|
403b09 |
try:
|
|
|
403b09 |
diff --git a/ipalib/constants.py b/ipalib/constants.py
|
|
|
403b09 |
index 9b351e260f15211330521453b3ffcd41433a04bb..04515dcd25d066d8f1ab79ae8e8b96e909a1d884 100644
|
|
|
403b09 |
--- a/ipalib/constants.py
|
|
|
403b09 |
+++ b/ipalib/constants.py
|
|
|
403b09 |
@@ -274,3 +274,5 @@ CA_SUFFIX_NAME = 'ca'
|
|
|
403b09 |
PKI_GSSAPI_SERVICE_NAME = 'dogtag'
|
|
|
403b09 |
IPA_CA_CN = u'ipa'
|
|
|
403b09 |
IPA_CA_RECORD = "ipa-ca"
|
|
|
403b09 |
+IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca'
|
|
|
403b09 |
+RENEWAL_CA_NAME = 'dogtag-ipa-ca-renew-agent'
|
|
|
403b09 |
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
|
|
403b09 |
index e94fec5f6fd898b66dc12407be6e3f671ac3f4de..3551887cd8ff8baa5e17f8969c84fb92d7552ef3 100644
|
|
|
403b09 |
--- a/ipaserver/install/cainstance.py
|
|
|
403b09 |
+++ b/ipaserver/install/cainstance.py
|
|
|
403b09 |
@@ -1382,6 +1382,9 @@ class CAInstance(DogtagInstance):
|
|
|
403b09 |
|
|
|
403b09 |
self.step("enabling CA instance", self.__enable_instance)
|
|
|
403b09 |
|
|
|
403b09 |
+ self.step("configuring certmonger renewal for lightweight CAs",
|
|
|
403b09 |
+ self.__add_lightweight_ca_tracking_requests)
|
|
|
403b09 |
+
|
|
|
403b09 |
self.start_creation(runtime=210)
|
|
|
403b09 |
|
|
|
403b09 |
def setup_lightweight_ca_key_retrieval(self):
|
|
|
403b09 |
@@ -1447,6 +1450,22 @@ class CAInstance(DogtagInstance):
|
|
|
403b09 |
os.chmod(keyfile, 0o600)
|
|
|
403b09 |
os.chown(keyfile, pent.pw_uid, pent.pw_gid)
|
|
|
403b09 |
|
|
|
403b09 |
+ def __add_lightweight_ca_tracking_requests(self):
|
|
|
403b09 |
+ if not self.admin_conn:
|
|
|
403b09 |
+ self.ldap_connect()
|
|
|
403b09 |
+
|
|
|
403b09 |
+ try:
|
|
|
403b09 |
+ lwcas = self.admin_conn.get_entries(
|
|
|
403b09 |
+ base_dn=api.env.basedn,
|
|
|
403b09 |
+ filter='(objectclass=ipaca)',
|
|
|
403b09 |
+ attrs_list=['cn', 'ipacaid'],
|
|
|
403b09 |
+ )
|
|
|
403b09 |
+ add_lightweight_ca_tracking_requests(self.log, lwcas)
|
|
|
403b09 |
+ except errors.NotFound:
|
|
|
403b09 |
+ # shouldn't happen, but don't fail if it does
|
|
|
403b09 |
+ root_logger.warning(
|
|
|
403b09 |
+ "Did not find any lightweight CAs; nothing to track")
|
|
|
403b09 |
+
|
|
|
403b09 |
|
|
|
403b09 |
def replica_ca_install_check(config):
|
|
|
403b09 |
if not config.setup_ca:
|
|
|
403b09 |
@@ -2069,6 +2088,53 @@ def ensure_default_caacl():
|
|
|
403b09 |
api.Backend.ldap2.disconnect()
|
|
|
403b09 |
|
|
|
403b09 |
|
|
|
403b09 |
+def add_lightweight_ca_tracking_requests(logger, lwcas):
|
|
|
403b09 |
+ """Add tracking requests for the given lightweight CAs.
|
|
|
403b09 |
+
|
|
|
403b09 |
+ The entries must have the 'cn' and 'ipacaid' attributes.
|
|
|
403b09 |
+
|
|
|
403b09 |
+ The IPA CA, if present, is skipped.
|
|
|
403b09 |
+
|
|
|
403b09 |
+ """
|
|
|
403b09 |
+ for entry in lwcas:
|
|
|
403b09 |
+ if ipalib.constants.IPA_CA_CN in entry['cn']:
|
|
|
403b09 |
+ continue
|
|
|
403b09 |
+
|
|
|
403b09 |
+ nickname = "{} {}".format(
|
|
|
403b09 |
+ ipalib.constants.IPA_CA_NICKNAME,
|
|
|
403b09 |
+ entry['ipacaid'][0])
|
|
|
403b09 |
+ criteria = {
|
|
|
403b09 |
+ 'cert-database': paths.PKI_TOMCAT_ALIAS_DIR,
|
|
|
403b09 |
+ 'cert-nickname': nickname,
|
|
|
403b09 |
+ 'ca-name': ipalib.constants.RENEWAL_CA_NAME,
|
|
|
403b09 |
+ }
|
|
|
403b09 |
+ request_id = certmonger.get_request_id(criteria)
|
|
|
403b09 |
+ if request_id is None:
|
|
|
403b09 |
+ try:
|
|
|
403b09 |
+ certmonger.dogtag_start_tracking(
|
|
|
403b09 |
+ secdir=paths.PKI_TOMCAT_ALIAS_DIR,
|
|
|
403b09 |
+ pin=certmonger.get_pin('internal'),
|
|
|
403b09 |
+ pinfile=None,
|
|
|
403b09 |
+ nickname=nickname,
|
|
|
403b09 |
+ ca=ipalib.constants.RENEWAL_CA_NAME,
|
|
|
403b09 |
+ pre_command='stop_pkicad',
|
|
|
403b09 |
+ post_command='renew_ca_cert "%s"' % nickname,
|
|
|
403b09 |
+ )
|
|
|
403b09 |
+ request_id = certmonger.get_request_id(criteria)
|
|
|
403b09 |
+ certmonger.modify(request_id, profile='ipaCACertRenewal')
|
|
|
403b09 |
+ logger.debug(
|
|
|
403b09 |
+ 'Lightweight CA renewal: '
|
|
|
403b09 |
+ 'added tracking request for "%s"', nickname)
|
|
|
403b09 |
+ except RuntimeError as e:
|
|
|
403b09 |
+ logger.error(
|
|
|
403b09 |
+ 'Lightweight CA renewal: Certmonger failed to '
|
|
|
403b09 |
+ 'start tracking certificate: %s', e)
|
|
|
403b09 |
+ else:
|
|
|
403b09 |
+ logger.debug(
|
|
|
403b09 |
+ 'Lightweight CA renewal: '
|
|
|
403b09 |
+ 'already tracking certificate "%s"', nickname)
|
|
|
403b09 |
+
|
|
|
403b09 |
+
|
|
|
403b09 |
def update_ipa_conf():
|
|
|
403b09 |
"""
|
|
|
403b09 |
Update IPA configuration file to ensure that RA plugins are enabled and
|
|
|
403b09 |
--
|
|
|
403b09 |
2.7.4
|
|
|
403b09 |
|