def setup_pkinit(self):
if self.pkcs12_info:
certs.install_pem_from_p12(self.pkcs12_info[0],
self.pkcs12_info[1],
paths.KDC_CERT)
certs.install_key_from_p12(self.pkcs12_info[0],
self.pkcs12_info[1],
paths.KDC_KEY)
else:
subject = str(DN(('cn', self.fqdn), self.subject_base))
krbtgt = "krbtgt/" + self.realm + "@" + self.realm
certpath = (paths.KDC_CERT, paths.KDC_KEY)
try:
prev_helper = None
if self.master_fqdn is None:
ca_args = [
paths.CERTMONGER_DOGTAG_SUBMIT,
'--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
'--certfile', paths.RA_AGENT_PEM,
'--keyfile', paths.RA_AGENT_KEY,
'--cafile', paths.IPA_CA_CRT,
'--agent-submit'
]
helper = " ".join(ca_args)
prev_helper = certmonger.modify_ca_helper('IPA', helper)
else:
self._wait_for_replica_kdc_entry()
certmonger.request_and_wait_for_cert(
certpath,
subject,
krbtgt,
dns=self.fqdn,
storage='FILE',
profile='KDCs_PKINIT_Certs')
except dbus.DBusException as e:
# if the certificate is already tracked, ignore the error
name = e.get_dbus_name()
if name != 'org.fedorahosted.certmonger.duplicate':
root_logger.error("Failed to initiate the request: %s", e)
return
finally:
if prev_helper is not None:
certmonger.modify_ca_helper('IPA', prev_helper)
# Finally copy the cacert in the krb directory so we don't
# have any selinux issues with the file context
shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM)
try:
self.restart()
except Exception:
root_logger.critical("krb5kdc service failed to restart")
raise
def _call_certmonger(self, certmonger_ca='IPA'):
subject = str(DN(('cn', self.fqdn), self.subject_base))
krbtgt = "krbtgt/" + self.realm + "@" + self.realm
certpath = (paths.KDC_CERT, paths.KDC_KEY)
try:
prev_helper = None
# on the first CA-ful master without '--no-pkinit', we issue the
# certificate by contacting Dogtag directly
ca_instances = find_providing_servers(
'CA', conn=self.api.Backend.ldap2, api=self.api)
use_dogtag_submit = all(
[self.master_fqdn is None,
self.pkcs12_info is None,
self.config_pkinit,
len(ca_instances) == 0])
if use_dogtag_submit:
ca_args = [
paths.CERTMONGER_DOGTAG_SUBMIT,
'--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
'--certfile', paths.RA_AGENT_PEM,
'--keyfile', paths.RA_AGENT_KEY,
'--cafile', paths.IPA_CA_CRT,
'--agent-submit'
]
helper = " ".join(ca_args)
prev_helper = certmonger.modify_ca_helper(
certmonger_ca, helper
)
certmonger.request_and_wait_for_cert(
certpath=certpath,
subject=subject,
principal=krbtgt,
ca=certmonger_ca,
dns=self.fqdn,
storage='FILE',
profile=KDC_PROFILE,
post_command='renew_kdc_cert',
perms=(0o644, 0o600),
resubmit_timeout=api.env.replication_wait_timeout
)
except dbus.DBusException as e:
# if the certificate is already tracked, ignore the error
name = e.get_dbus_name()
if name != 'org.fedorahosted.certmonger.duplicate':
logger.error("Failed to initiate the request: %s", e)
return
finally:
if prev_helper is not None:
certmonger.modify_ca_helper(certmonger_ca, prev_helper)
def _call_certmonger(self, certmonger_ca='IPA'):
subject = str(DN(('cn', self.fqdn), self.subject_base))
krbtgt = "krbtgt/" + self.realm + "@" + self.realm
certpath = (paths.KDC_CERT, paths.KDC_KEY)
try:
prev_helper = None
# on the first CA-ful master without '--no-pkinit', we issue the
# certificate by contacting Dogtag directly
ca_instances = find_providing_servers(
'CA', conn=self.api.Backend.ldap2, api=self.api)
use_dogtag_submit = all(
[self.master_fqdn is None,
self.pkcs12_info is None,
self.config_pkinit,
len(ca_instances) == 0])
if use_dogtag_submit:
ca_args = [
paths.CERTMONGER_DOGTAG_SUBMIT,
'--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
'--certfile', paths.RA_AGENT_PEM,
'--keyfile', paths.RA_AGENT_KEY,
'--cafile', paths.IPA_CA_CRT,
'--agent-submit'
]
helper = " ".join(ca_args)
prev_helper = certmonger.modify_ca_helper(
certmonger_ca, helper
)
certmonger.request_and_wait_for_cert(
certpath=certpath,
subject=subject,
principal=krbtgt,
ca=certmonger_ca,
dns=self.fqdn,
storage='FILE',
profile=KDC_PROFILE,
post_command='renew_kdc_cert',
perms=(0o644, 0o600),
resubmit_timeout=api.env.certmonger_wait_timeout
)
except dbus.DBusException as e:
# if the certificate is already tracked, ignore the error
name = e.get_dbus_name()
if name != 'org.fedorahosted.certmonger.duplicate':
logger.error("Failed to initiate the request: %s", e)
return
finally:
if prev_helper is not None:
certmonger.modify_ca_helper(certmonger_ca, prev_helper)
def __enable_ssl(self):
dirname = config_dirname(self.serverid)
dsdb = certs.CertDB(
self.realm,
nssdir=dirname,
subject_base=self.subject_base,
ca_subject=self.ca_subject,
)
if self.pkcs12_info:
if self.ca_is_configured:
trust_flags = IPA_CA_TRUST_FLAGS
else:
trust_flags = EXTERNAL_CA_TRUST_FLAGS
dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
ca_file=self.ca_file,
trust_flags=trust_flags)
server_certs = dsdb.find_server_certs()
if len(server_certs) == 0:
raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0])
# We only handle one server cert
self.nickname = server_certs[0][0]
self.cert = dsdb.get_cert_from_db(self.nickname)
if self.ca_is_configured:
dsdb.track_server_cert(
self.nickname, self.principal, dsdb.passwd_fname,
'restart_dirsrv %s' % self.serverid)
self.add_cert_to_service()
else:
dsdb.create_from_cacert()
if self.master_fqdn is None:
ca_args = [
paths.CERTMONGER_DOGTAG_SUBMIT,
'--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
'--certfile', paths.RA_AGENT_PEM,
'--keyfile', paths.RA_AGENT_KEY,
'--cafile', paths.IPA_CA_CRT,
'--agent-submit'
]
helper = " ".join(ca_args)
prev_helper = certmonger.modify_ca_helper('IPA', helper)
else:
prev_helper = None
try:
cmd = 'restart_dirsrv %s' % self.serverid
certmonger.request_and_wait_for_cert(
certpath=dirname,
storage='NSSDB',
nickname=self.nickname,
principal=self.principal,
passwd_fname=dsdb.passwd_fname,
subject=str(DN(('CN', self.fqdn), self.subject_base)),
ca='IPA',
profile=dogtag.DEFAULT_PROFILE,
dns=[self.fqdn],
post_command=cmd
)
finally:
if prev_helper is not None:
certmonger.modify_ca_helper('IPA', prev_helper)
# restart_dirsrv in the request above restarts DS, reconnect ldap2
api.Backend.ldap2.disconnect()
api.Backend.ldap2.connect()
self.cert = dsdb.get_cert_from_db(self.nickname)
if prev_helper is not None:
self.add_cert_to_service()
dsdb.create_pin_file()
self.cacert_name = dsdb.cacert_name
ldap_uri = ipaldap.get_ldap_uri(self.fqdn)
conn = ipaldap.LDAPClient(ldap_uri)
conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
bind_password=self.dm_password)
mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"),
(ldap.MOD_REPLACE, "nsSSL3Ciphers", "default"),
(ldap.MOD_REPLACE, "allowWeakCipher", "off")]
conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod)
mod = [(ldap.MOD_ADD, "nsslapd-security", "on")]
conn.modify_s(DN(('cn', 'config')), mod)
entry = conn.make_entry(
DN(('cn', 'RSA'), ('cn', 'encryption'), ('cn', 'config')),
objectclass=["top", "nsEncryptionModule"],
cn=["RSA"],
nsSSLPersonalitySSL=[self.nickname],
nsSSLToken=["internal (software)"],
nsSSLActivation=["on"],
)
try:
conn.add_entry(entry)
except errors.DuplicateEntry:
# 389-DS >= 1.4.0 has a default entry, update it.
conn.update_entry(entry)
conn.unbind()
# check for open secure port 636 from now on
self.open_ports.append(636)
def __enable_ssl(self):
dirname = config_dirname(self.serverid)
dsdb = certs.CertDB(self.realm, nssdir=dirname, subject_base=self.subject_base)
if self.pkcs12_info:
if self.ca_is_configured:
trust_flags = 'CT,C,C'
else:
trust_flags = None
dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
ca_file=self.ca_file,
trust_flags=trust_flags)
server_certs = dsdb.find_server_certs()
if len(server_certs) == 0:
raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0])
# We only handle one server cert
self.nickname = server_certs[0][0]
self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False)
if self.ca_is_configured:
dsdb.track_server_cert(
self.nickname, self.principal, dsdb.passwd_fname,
'restart_dirsrv %s' % self.serverid)
else:
cadb = certs.CertDB(self.realm, host_name=self.fqdn, subject_base=self.subject_base)
# FIXME, need to set this nickname in the RA plugin
cadb.export_ca_cert('ipaCert', False)
dsdb.create_from_cacert(cadb.cacert_fname, passwd=None)
ca_args = ['/usr/libexec/certmonger/dogtag-submit',
'--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
'--dbdir', paths.HTTPD_ALIAS_DIR,
'--nickname', 'ipaCert',
'--sslpinfile', paths.ALIAS_PWDFILE_TXT,
'--agent-submit']
helper = " ".join(ca_args)
prev_helper = certmonger.modify_ca_helper('IPA', helper)
try:
cmd = 'restart_dirsrv %s' % self.serverid
certmonger.request_and_wait_for_cert(
nssdb=dirname,
nickname=self.nickname,
principal=self.principal,
passwd_fname=dsdb.passwd_fname,
subject=str(DN(('CN', self.fqdn), self.subject_base)),
ca='IPA',
profile=dogtag.DEFAULT_PROFILE,
dns=[self.fqdn],
post_command=cmd)
finally:
certmonger.modify_ca_helper('IPA', prev_helper)
self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False)
dsdb.create_pin_file()
self.cacert_name = dsdb.cacert_name
ldap_uri = ipaldap.get_ldap_uri(self.fqdn)
conn = ipaldap.LDAPClient(ldap_uri)
conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
bind_password=self.dm_password)
mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"),
(ldap.MOD_REPLACE, "nsSSL3Ciphers", "default"),
(ldap.MOD_REPLACE, "allowWeakCipher", "off")]
conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod)
mod = [(ldap.MOD_ADD, "nsslapd-security", "on")]
conn.modify_s(DN(('cn', 'config')), mod)
entry = conn.make_entry(
DN(('cn', 'RSA'), ('cn', 'encryption'), ('cn', 'config')),
objectclass=["top", "nsEncryptionModule"],
cn=["RSA"],
nsSSLPersonalitySSL=[self.nickname],
nsSSLToken=["internal (software)"],
nsSSLActivation=["on"],
)
conn.add_entry(entry)
conn.unbind()
# check for open secure port 636 from now on
self.open_ports.append(636)
def __setup_ssl(self):
key_passwd_file = paths.HTTPD_PASSWD_FILE_FMT.format(host=api.env.host)
with open(key_passwd_file, 'wb') as f:
os.fchmod(f.fileno(), 0o600)
pkey_passwd = ipautil.ipa_generate_password().encode('utf-8')
f.write(pkey_passwd)
if self.pkcs12_info:
p12_certs, p12_priv_keys = certs.pkcs12_to_certkeys(
*self.pkcs12_info)
keys_dict = {
k.public_key().public_numbers(): k
for k in p12_priv_keys
}
certs_keys = [(c, keys_dict.get(c.public_key().public_numbers()))
for c in p12_certs]
server_certs_keys = [(c, k) for c, k in certs_keys
if k is not None]
if not server_certs_keys:
raise RuntimeError(
"Could not find a suitable server cert in import in %s" %
self.pkcs12_info[0])
# We only handle one server cert
self.cert = server_certs_keys[0][0]
x509.write_certificate(self.cert, paths.HTTPD_CERT_FILE)
x509.write_pem_private_key(server_certs_keys[0][1],
paths.HTTPD_KEY_FILE,
passwd=pkey_passwd)
if self.ca_is_configured:
self.start_tracking_certificates()
self.add_cert_to_service()
else:
if not self.promote:
ca_args = [
paths.CERTMONGER_DOGTAG_SUBMIT, '--ee-url',
'https://%s:8443/ca/ee/ca' % self.fqdn, '--certfile',
paths.RA_AGENT_PEM, '--keyfile', paths.RA_AGENT_KEY,
'--cafile', paths.IPA_CA_CRT, '--agent-submit'
]
helper = " ".join(ca_args)
prev_helper = certmonger.modify_ca_helper('IPA', helper)
else:
prev_helper = None
try:
certmonger.request_and_wait_for_cert(
certpath=(paths.HTTPD_CERT_FILE, paths.HTTPD_KEY_FILE),
principal=self.principal,
subject=str(DN(('CN', self.fqdn), self.subject_base)),
ca='IPA',
profile=dogtag.DEFAULT_PROFILE,
dns=[self.fqdn],
post_command='restart_httpd',
storage='FILE',
passwd_fname=key_passwd_file)
finally:
if prev_helper is not None:
certmonger.modify_ca_helper('IPA', prev_helper)
self.cert = x509.load_certificate_from_file(paths.HTTPD_CERT_FILE)
if prev_helper is not None:
self.add_cert_to_service()
with open(paths.HTTPD_KEY_FILE, 'rb') as f:
priv_key = x509.load_pem_private_key(
f.read(), pkey_passwd, backend=x509.default_backend())
# Verify we have a valid server cert
if (priv_key.public_key().public_numbers() !=
self.cert.public_key().public_numbers()):
raise RuntimeError(
"The public key of the issued HTTPD service certificate "
"does not match its private key.")
sysupgrade.set_upgrade_state('ssl.conf', 'migrated_to_mod_ssl', True)
def __enable_ssl(self):
dirname = config_dirname(self.serverid)
dsdb = certs.CertDB(self.realm, nssdir=dirname, subject_base=self.subject_base)
if self.pkcs12_info:
if self.ca_is_configured:
trust_flags = "CT,C,C"
else:
trust_flags = None
dsdb.create_from_pkcs12(
self.pkcs12_info[0], self.pkcs12_info[1], ca_file=self.ca_file, trust_flags=trust_flags
)
server_certs = dsdb.find_server_certs()
if len(server_certs) == 0:
raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0])
# We only handle one server cert
self.nickname = server_certs[0][0]
self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False)
if self.ca_is_configured:
dsdb.track_server_cert(
self.nickname, self.principal, dsdb.passwd_fname, "restart_dirsrv %s" % self.serverid
)
else:
cadb = certs.CertDB(self.realm, host_name=self.fqdn, subject_base=self.subject_base)
# FIXME, need to set this nickname in the RA plugin
cadb.export_ca_cert("ipaCert", False)
dsdb.create_from_cacert(cadb.cacert_fname, passwd=None)
ca_args = [
"/usr/libexec/certmonger/dogtag-submit",
"--ee-url",
"https://%s:8443/ca/ee/ca" % self.fqdn,
"--dbdir",
paths.HTTPD_ALIAS_DIR,
"--nickname",
"ipaCert",
"--sslpinfile",
paths.ALIAS_PWDFILE_TXT,
"--agent-submit",
]
helper = " ".join(ca_args)
prev_helper = certmonger.modify_ca_helper("IPA", helper)
try:
cmd = "restart_dirsrv %s" % self.serverid
certmonger.request_and_wait_for_cert(
certpath=dirname,
nickname=self.nickname,
principal=self.principal,
passwd_fname=dsdb.passwd_fname,
subject=str(DN(("CN", self.fqdn), self.subject_base)),
ca="IPA",
profile=dogtag.DEFAULT_PROFILE,
dns=[self.fqdn],
post_command=cmd,
)
finally:
certmonger.modify_ca_helper("IPA", prev_helper)
self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False)
dsdb.create_pin_file()
self.cacert_name = dsdb.cacert_name
ldap_uri = ipaldap.get_ldap_uri(self.fqdn)
conn = ipaldap.LDAPClient(ldap_uri)
conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN, bind_password=self.dm_password)
mod = [
(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"),
(ldap.MOD_REPLACE, "nsSSL3Ciphers", "default"),
(ldap.MOD_REPLACE, "allowWeakCipher", "off"),
]
conn.modify_s(DN(("cn", "encryption"), ("cn", "config")), mod)
mod = [(ldap.MOD_ADD, "nsslapd-security", "on")]
conn.modify_s(DN(("cn", "config")), mod)
entry = conn.make_entry(
DN(("cn", "RSA"), ("cn", "encryption"), ("cn", "config")),
objectclass=["top", "nsEncryptionModule"],
cn=["RSA"],
nsSSLPersonalitySSL=[self.nickname],
nsSSLToken=["internal (software)"],
nsSSLActivation=["on"],
)
conn.add_entry(entry)
conn.unbind()
# check for open secure port 636 from now on
self.open_ports.append(636)
def __setup_ssl(self):
db = certs.CertDB(self.realm, subject_base=self.subject_base)
if self.pkcs12_info:
if self.ca_is_configured:
trust_flags = 'CT,C,C'
else:
trust_flags = None
db.init_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
ca_file=self.ca_file,
trust_flags=trust_flags)
server_certs = db.find_server_certs()
if len(server_certs) == 0:
raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0])
db.create_password_conf()
# We only handle one server cert
nickname = server_certs[0][0]
if nickname == 'ipaCert':
nickname = server_certs[1][0]
self.dercert = db.get_cert_from_db(nickname, pem=False)
if self.ca_is_configured:
db.track_server_cert(nickname, self.principal, db.passwd_fname, 'restart_httpd')
self.__set_mod_nss_nickname(nickname)
self.add_cert_to_service()
else:
if not self.promote:
db.create_password_conf()
ca_args = [
'/usr/libexec/certmonger/dogtag-submit',
'--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
'--dbdir', paths.HTTPD_ALIAS_DIR,
'--nickname', 'ipaCert',
'--sslpinfile', paths.ALIAS_PWDFILE_TXT,
'--agent-submit'
]
helper = " ".join(ca_args)
prev_helper = certmonger.modify_ca_helper('IPA', helper)
try:
certmonger.request_and_wait_for_cert(
certpath=db.secdir,
nickname=self.cert_nickname,
principal=self.principal,
passwd_fname=db.passwd_fname,
subject=str(DN(('CN', self.fqdn), self.subject_base)),
ca='IPA',
profile=dogtag.DEFAULT_PROFILE,
dns=[self.fqdn],
post_command='restart_httpd')
self.dercert = db.get_cert_from_db(
self.cert_nickname, pem=False)
finally:
certmonger.modify_ca_helper('IPA', prev_helper)
self.add_cert_to_service()
server_certs = db.find_server_certs()
if not server_certs:
raise RuntimeError("Could not find a suitable server cert.")
# We only handle one server cert
nickname = server_certs[0][0]
db.export_ca_cert(nickname)
def __setup_ssl(self):
db = certs.CertDB(self.realm,
nssdir=paths.HTTPD_ALIAS_DIR,
subject_base=self.subject_base,
user="******",
group=constants.HTTPD_GROUP,
create=True)
self.disable_system_trust()
self.create_password_conf()
if self.pkcs12_info:
if self.ca_is_configured:
trust_flags = IPA_CA_TRUST_FLAGS
else:
trust_flags = EXTERNAL_CA_TRUST_FLAGS
db.init_from_pkcs12(self.pkcs12_info[0],
self.pkcs12_info[1],
ca_file=self.ca_file,
trust_flags=trust_flags)
server_certs = db.find_server_certs()
if len(server_certs) == 0:
raise RuntimeError(
"Could not find a suitable server cert in import in %s" %
self.pkcs12_info[0])
# We only handle one server cert
nickname = server_certs[0][0]
if nickname == 'ipaCert':
nickname = server_certs[1][0]
self.cert = db.get_cert_from_db(nickname)
if self.ca_is_configured:
db.track_server_cert(nickname, self.principal, db.passwd_fname,
'restart_httpd')
self.__set_mod_nss_nickname(nickname)
self.add_cert_to_service()
else:
if not self.promote:
ca_args = [
paths.CERTMONGER_DOGTAG_SUBMIT, '--ee-url',
'https://%s:8443/ca/ee/ca' % self.fqdn, '--certfile',
paths.RA_AGENT_PEM, '--keyfile', paths.RA_AGENT_KEY,
'--cafile', paths.IPA_CA_CRT, '--agent-submit'
]
helper = " ".join(ca_args)
prev_helper = certmonger.modify_ca_helper('IPA', helper)
else:
prev_helper = None
try:
certmonger.request_and_wait_for_cert(
certpath=db.secdir,
nickname=self.cert_nickname,
principal=self.principal,
passwd_fname=db.passwd_fname,
subject=str(DN(('CN', self.fqdn), self.subject_base)),
ca='IPA',
profile=dogtag.DEFAULT_PROFILE,
dns=[self.fqdn],
post_command='restart_httpd')
finally:
if prev_helper is not None:
certmonger.modify_ca_helper('IPA', prev_helper)
self.cert = db.get_cert_from_db(self.cert_nickname)
if prev_helper is not None:
self.add_cert_to_service()
# Verify we have a valid server cert
server_certs = db.find_server_certs()
if not server_certs:
raise RuntimeError("Could not find a suitable server cert.")
# store the CA cert nickname so that we can publish it later on
self.cacert_nickname = db.cacert_name
def __enable_ssl(self):
dirname = config_dirname(self.serverid)
dsdb = certs.CertDB(
self.realm,
nssdir=dirname,
subject_base=self.subject_base,
ca_subject=self.ca_subject,
)
if self.pkcs12_info:
if self.ca_is_configured:
trust_flags = IPA_CA_TRUST_FLAGS
else:
trust_flags = EXTERNAL_CA_TRUST_FLAGS
dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
ca_file=self.ca_file,
trust_flags=trust_flags)
server_certs = dsdb.find_server_certs()
if len(server_certs) == 0:
raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0])
# We only handle one server cert
self.nickname = server_certs[0][0]
self.cert = dsdb.get_cert_from_db(self.nickname)
if self.ca_is_configured:
dsdb.track_server_cert(
self.nickname, self.principal, dsdb.passwd_fname,
'restart_dirsrv %s' % self.serverid)
self.add_cert_to_service()
else:
dsdb.create_from_cacert()
if self.master_fqdn is None:
ca_args = [
paths.CERTMONGER_DOGTAG_SUBMIT,
'--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
'--certfile', paths.RA_AGENT_PEM,
'--keyfile', paths.RA_AGENT_KEY,
'--cafile', paths.IPA_CA_CRT,
'--agent-submit'
]
helper = " ".join(ca_args)
prev_helper = certmonger.modify_ca_helper('IPA', helper)
else:
prev_helper = None
try:
cmd = 'restart_dirsrv %s' % self.serverid
certmonger.request_and_wait_for_cert(
certpath=dirname,
nickname=self.nickname,
principal=self.principal,
passwd_fname=dsdb.passwd_fname,
subject=str(DN(('CN', self.fqdn), self.subject_base)),
ca='IPA',
profile=dogtag.DEFAULT_PROFILE,
dns=[self.fqdn],
post_command=cmd)
finally:
if prev_helper is not None:
certmonger.modify_ca_helper('IPA', prev_helper)
# restart_dirsrv in the request above restarts DS, reconnect ldap2
api.Backend.ldap2.disconnect()
api.Backend.ldap2.connect()
self.cert = dsdb.get_cert_from_db(self.nickname)
if prev_helper is not None:
self.add_cert_to_service()
dsdb.create_pin_file()
self.cacert_name = dsdb.cacert_name
ldap_uri = ipaldap.get_ldap_uri(self.fqdn)
conn = ipaldap.LDAPClient(ldap_uri)
conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
bind_password=self.dm_password)
mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"),
(ldap.MOD_REPLACE, "nsSSL3Ciphers", "default"),
(ldap.MOD_REPLACE, "allowWeakCipher", "off")]
conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod)
mod = [(ldap.MOD_ADD, "nsslapd-security", "on")]
conn.modify_s(DN(('cn', 'config')), mod)
entry = conn.make_entry(
DN(('cn', 'RSA'), ('cn', 'encryption'), ('cn', 'config')),
objectclass=["top", "nsEncryptionModule"],
cn=["RSA"],
nsSSLPersonalitySSL=[self.nickname],
nsSSLToken=["internal (software)"],
nsSSLActivation=["on"],
)
conn.add_entry(entry)
conn.unbind()
# check for open secure port 636 from now on
self.open_ports.append(636)
def __setup_ssl(self):
db = certs.CertDB(self.realm, subject_base=self.subject_base)
if self.pkcs12_info:
if self.ca_is_configured:
trust_flags = 'CT,C,C'
else:
trust_flags = None
db.init_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
ca_file=self.ca_file,
trust_flags=trust_flags)
server_certs = db.find_server_certs()
if len(server_certs) == 0:
raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0])
db.create_password_conf()
# We only handle one server cert
nickname = server_certs[0][0]
if nickname == 'ipaCert':
nickname = server_certs[1][0]
self.dercert = db.get_cert_from_db(nickname, pem=False)
if self.ca_is_configured:
db.track_server_cert(nickname, self.principal, db.passwd_fname, 'restart_httpd')
self.__set_mod_nss_nickname(nickname)
self.add_cert_to_service()
else:
if not self.promote:
db.create_password_conf()
ca_args = [
'/usr/libexec/certmonger/dogtag-submit',
'--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
'--dbdir', paths.HTTPD_ALIAS_DIR,
'--nickname', 'ipaCert',
'--sslpinfile', paths.ALIAS_PWDFILE_TXT,
'--agent-submit'
]
helper = " ".join(ca_args)
prev_helper = certmonger.modify_ca_helper('IPA', helper)
try:
certmonger.request_and_wait_for_cert(
nssdb=db.secdir,
nickname=self.cert_nickname,
principal=self.principal,
passwd_fname=db.passwd_fname,
subject=str(DN(('CN', self.fqdn), self.subject_base)),
ca='IPA',
profile=dogtag.DEFAULT_PROFILE,
dns=[self.fqdn],
post_command='restart_httpd')
self.dercert = db.get_cert_from_db(
self.cert_nickname, pem=False)
finally:
certmonger.modify_ca_helper('IPA', prev_helper)
self.add_cert_to_service()
server_certs = db.find_server_certs()
if not server_certs:
raise RuntimeError("Could not find a suitable server cert.")
# We only handle one server cert
nickname = server_certs[0][0]
db.export_ca_cert(nickname)
def __setup_ssl(self):
key_passwd_file = paths.HTTPD_PASSWD_FILE_FMT.format(host=api.env.host)
with open(key_passwd_file, 'wb') as f:
os.fchmod(f.fileno(), 0o600)
pkey_passwd = ipautil.ipa_generate_password().encode('utf-8')
f.write(pkey_passwd)
if self.pkcs12_info:
p12_certs, p12_priv_keys = certs.pkcs12_to_certkeys(
*self.pkcs12_info)
keys_dict = {
k.public_key().public_numbers(): k
for k in p12_priv_keys
}
certs_keys = [
(c, keys_dict.get(c.public_key().public_numbers()))
for c in p12_certs
]
server_certs_keys = [
(c, k) for c, k in certs_keys if k is not None
]
if not server_certs_keys:
raise RuntimeError(
"Could not find a suitable server cert in import in %s"
% self.pkcs12_info[0]
)
# We only handle one server cert
self.cert = server_certs_keys[0][0]
x509.write_certificate(self.cert, paths.HTTPD_CERT_FILE)
x509.write_pem_private_key(
server_certs_keys[0][1],
paths.HTTPD_KEY_FILE,
passwd=pkey_passwd
)
if self.ca_is_configured:
self.start_tracking_certificates()
self.add_cert_to_service()
else:
if not self.promote:
ca_args = [
paths.CERTMONGER_DOGTAG_SUBMIT,
'--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
'--certfile', paths.RA_AGENT_PEM,
'--keyfile', paths.RA_AGENT_KEY,
'--cafile', paths.IPA_CA_CRT,
'--agent-submit'
]
helper = " ".join(ca_args)
prev_helper = certmonger.modify_ca_helper('IPA', helper)
else:
prev_helper = None
try:
certmonger.request_and_wait_for_cert(
certpath=(paths.HTTPD_CERT_FILE, paths.HTTPD_KEY_FILE),
principal=self.principal,
subject=str(DN(('CN', self.fqdn), self.subject_base)),
ca='IPA',
profile=dogtag.DEFAULT_PROFILE,
dns=[self.fqdn],
post_command='restart_httpd',
storage='FILE',
passwd_fname=key_passwd_file
)
finally:
if prev_helper is not None:
certmonger.modify_ca_helper('IPA', prev_helper)
self.cert = x509.load_certificate_from_file(
paths.HTTPD_CERT_FILE
)
if prev_helper is not None:
self.add_cert_to_service()
with open(paths.HTTPD_KEY_FILE, 'rb') as f:
priv_key = x509.load_pem_private_key(
f.read(), pkey_passwd, backend=x509.default_backend())
# Verify we have a valid server cert
if (priv_key.public_key().public_numbers()
!= self.cert.public_key().public_numbers()):
raise RuntimeError(
"The public key of the issued HTTPD service certificate "
"does not match its private key.")
sysupgrade.set_upgrade_state('ssl.conf', 'migrated_to_mod_ssl', True)
def __setup_ssl(self):
db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR,
subject_base=self.subject_base, user="******",
group=constants.HTTPD_GROUP,
create=True)
self.disable_system_trust()
self.create_password_conf()
if self.pkcs12_info:
if self.ca_is_configured:
trust_flags = IPA_CA_TRUST_FLAGS
else:
trust_flags = EXTERNAL_CA_TRUST_FLAGS
db.init_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
ca_file=self.ca_file,
trust_flags=trust_flags)
server_certs = db.find_server_certs()
if len(server_certs) == 0:
raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0])
# We only handle one server cert
nickname = server_certs[0][0]
if nickname == 'ipaCert':
nickname = server_certs[1][0]
self.dercert = db.get_cert_from_db(nickname, pem=False)
if self.ca_is_configured:
db.track_server_cert(nickname, self.principal, db.passwd_fname, 'restart_httpd')
self.__set_mod_nss_nickname(nickname)
self.add_cert_to_service()
else:
if not self.promote:
ca_args = [
paths.CERTMONGER_DOGTAG_SUBMIT,
'--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
'--certfile', paths.RA_AGENT_PEM,
'--keyfile', paths.RA_AGENT_KEY,
'--cafile', paths.IPA_CA_CRT,
'--agent-submit'
]
helper = " ".join(ca_args)
prev_helper = certmonger.modify_ca_helper('IPA', helper)
else:
prev_helper = None
try:
certmonger.request_and_wait_for_cert(
certpath=db.secdir,
nickname=self.cert_nickname,
principal=self.principal,
passwd_fname=db.passwd_fname,
subject=str(DN(('CN', self.fqdn), self.subject_base)),
ca='IPA',
profile=dogtag.DEFAULT_PROFILE,
dns=[self.fqdn],
post_command='restart_httpd')
finally:
if prev_helper is not None:
certmonger.modify_ca_helper('IPA', prev_helper)
self.dercert = db.get_cert_from_db(self.cert_nickname, pem=False)
if prev_helper is not None:
self.add_cert_to_service()
# Verify we have a valid server cert
server_certs = db.find_server_certs()
if not server_certs:
raise RuntimeError("Could not find a suitable server cert.")
# store the CA cert nickname so that we can publish it later on
self.cacert_nickname = db.cacert_name
