def setup_pkinit(self): if self.pkcs12_info: certs.install_pem_from_p12(self.pkcs12_info[0], self.pkcs12_info[1], paths.KDC_CERT) certs.install_key_from_p12(self.pkcs12_info[0], self.pkcs12_info[1], paths.KDC_KEY) else: subject = str(DN(('cn', self.fqdn), self.subject_base)) krbtgt = "krbtgt/" + self.realm + "@" + self.realm certpath = (paths.KDC_CERT, paths.KDC_KEY) try: prev_helper = None if self.master_fqdn is None: ca_args = [ paths.CERTMONGER_DOGTAG_SUBMIT, '--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn, '--certfile', paths.RA_AGENT_PEM, '--keyfile', paths.RA_AGENT_KEY, '--cafile', paths.IPA_CA_CRT, '--agent-submit' ] helper = " ".join(ca_args) prev_helper = certmonger.modify_ca_helper('IPA', helper) else: self._wait_for_replica_kdc_entry() certmonger.request_and_wait_for_cert( certpath, subject, krbtgt, dns=self.fqdn, storage='FILE', profile='KDCs_PKINIT_Certs') except dbus.DBusException as e: # if the certificate is already tracked, ignore the error name = e.get_dbus_name() if name != 'org.fedorahosted.certmonger.duplicate': root_logger.error("Failed to initiate the request: %s", e) return finally: if prev_helper is not None: certmonger.modify_ca_helper('IPA', prev_helper) # Finally copy the cacert in the krb directory so we don't # have any selinux issues with the file context shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM) try: self.restart() except Exception: root_logger.critical("krb5kdc service failed to restart") raise
def _call_certmonger(self, certmonger_ca='IPA'): subject = str(DN(('cn', self.fqdn), self.subject_base)) krbtgt = "krbtgt/" + self.realm + "@" + self.realm certpath = (paths.KDC_CERT, paths.KDC_KEY) try: prev_helper = None # on the first CA-ful master without '--no-pkinit', we issue the # certificate by contacting Dogtag directly ca_instances = find_providing_servers( 'CA', conn=self.api.Backend.ldap2, api=self.api) use_dogtag_submit = all( [self.master_fqdn is None, self.pkcs12_info is None, self.config_pkinit, len(ca_instances) == 0]) if use_dogtag_submit: ca_args = [ paths.CERTMONGER_DOGTAG_SUBMIT, '--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn, '--certfile', paths.RA_AGENT_PEM, '--keyfile', paths.RA_AGENT_KEY, '--cafile', paths.IPA_CA_CRT, '--agent-submit' ] helper = " ".join(ca_args) prev_helper = certmonger.modify_ca_helper( certmonger_ca, helper ) certmonger.request_and_wait_for_cert( certpath=certpath, subject=subject, principal=krbtgt, ca=certmonger_ca, dns=self.fqdn, storage='FILE', profile=KDC_PROFILE, post_command='renew_kdc_cert', perms=(0o644, 0o600), resubmit_timeout=api.env.replication_wait_timeout ) except dbus.DBusException as e: # if the certificate is already tracked, ignore the error name = e.get_dbus_name() if name != 'org.fedorahosted.certmonger.duplicate': logger.error("Failed to initiate the request: %s", e) return finally: if prev_helper is not None: certmonger.modify_ca_helper(certmonger_ca, prev_helper)
def _call_certmonger(self, certmonger_ca='IPA'): subject = str(DN(('cn', self.fqdn), self.subject_base)) krbtgt = "krbtgt/" + self.realm + "@" + self.realm certpath = (paths.KDC_CERT, paths.KDC_KEY) try: prev_helper = None # on the first CA-ful master without '--no-pkinit', we issue the # certificate by contacting Dogtag directly ca_instances = find_providing_servers( 'CA', conn=self.api.Backend.ldap2, api=self.api) use_dogtag_submit = all( [self.master_fqdn is None, self.pkcs12_info is None, self.config_pkinit, len(ca_instances) == 0]) if use_dogtag_submit: ca_args = [ paths.CERTMONGER_DOGTAG_SUBMIT, '--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn, '--certfile', paths.RA_AGENT_PEM, '--keyfile', paths.RA_AGENT_KEY, '--cafile', paths.IPA_CA_CRT, '--agent-submit' ] helper = " ".join(ca_args) prev_helper = certmonger.modify_ca_helper( certmonger_ca, helper ) certmonger.request_and_wait_for_cert( certpath=certpath, subject=subject, principal=krbtgt, ca=certmonger_ca, dns=self.fqdn, storage='FILE', profile=KDC_PROFILE, post_command='renew_kdc_cert', perms=(0o644, 0o600), resubmit_timeout=api.env.certmonger_wait_timeout ) except dbus.DBusException as e: # if the certificate is already tracked, ignore the error name = e.get_dbus_name() if name != 'org.fedorahosted.certmonger.duplicate': logger.error("Failed to initiate the request: %s", e) return finally: if prev_helper is not None: certmonger.modify_ca_helper(certmonger_ca, prev_helper)
def __enable_ssl(self): dirname = config_dirname(self.serverid) dsdb = certs.CertDB( self.realm, nssdir=dirname, subject_base=self.subject_base, ca_subject=self.ca_subject, ) if self.pkcs12_info: if self.ca_is_configured: trust_flags = IPA_CA_TRUST_FLAGS else: trust_flags = EXTERNAL_CA_TRUST_FLAGS dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], ca_file=self.ca_file, trust_flags=trust_flags) server_certs = dsdb.find_server_certs() if len(server_certs) == 0: raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0]) # We only handle one server cert self.nickname = server_certs[0][0] self.cert = dsdb.get_cert_from_db(self.nickname) if self.ca_is_configured: dsdb.track_server_cert( self.nickname, self.principal, dsdb.passwd_fname, 'restart_dirsrv %s' % self.serverid) self.add_cert_to_service() else: dsdb.create_from_cacert() if self.master_fqdn is None: ca_args = [ paths.CERTMONGER_DOGTAG_SUBMIT, '--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn, '--certfile', paths.RA_AGENT_PEM, '--keyfile', paths.RA_AGENT_KEY, '--cafile', paths.IPA_CA_CRT, '--agent-submit' ] helper = " ".join(ca_args) prev_helper = certmonger.modify_ca_helper('IPA', helper) else: prev_helper = None try: cmd = 'restart_dirsrv %s' % self.serverid certmonger.request_and_wait_for_cert( certpath=dirname, storage='NSSDB', nickname=self.nickname, principal=self.principal, passwd_fname=dsdb.passwd_fname, subject=str(DN(('CN', self.fqdn), self.subject_base)), ca='IPA', profile=dogtag.DEFAULT_PROFILE, dns=[self.fqdn], post_command=cmd ) finally: if prev_helper is not None: certmonger.modify_ca_helper('IPA', prev_helper) # restart_dirsrv in the request above restarts DS, reconnect ldap2 api.Backend.ldap2.disconnect() api.Backend.ldap2.connect() self.cert = dsdb.get_cert_from_db(self.nickname) if prev_helper is not None: self.add_cert_to_service() dsdb.create_pin_file() self.cacert_name = dsdb.cacert_name ldap_uri = ipaldap.get_ldap_uri(self.fqdn) conn = ipaldap.LDAPClient(ldap_uri) conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN, bind_password=self.dm_password) mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"), (ldap.MOD_REPLACE, "nsSSL3Ciphers", "default"), (ldap.MOD_REPLACE, "allowWeakCipher", "off")] conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod) mod = [(ldap.MOD_ADD, "nsslapd-security", "on")] conn.modify_s(DN(('cn', 'config')), mod) entry = conn.make_entry( DN(('cn', 'RSA'), ('cn', 'encryption'), ('cn', 'config')), objectclass=["top", "nsEncryptionModule"], cn=["RSA"], nsSSLPersonalitySSL=[self.nickname], nsSSLToken=["internal (software)"], nsSSLActivation=["on"], ) try: conn.add_entry(entry) except errors.DuplicateEntry: # 389-DS >= 1.4.0 has a default entry, update it. conn.update_entry(entry) conn.unbind() # check for open secure port 636 from now on self.open_ports.append(636)
def __enable_ssl(self): dirname = config_dirname(self.serverid) dsdb = certs.CertDB(self.realm, nssdir=dirname, subject_base=self.subject_base) if self.pkcs12_info: if self.ca_is_configured: trust_flags = 'CT,C,C' else: trust_flags = None dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], ca_file=self.ca_file, trust_flags=trust_flags) server_certs = dsdb.find_server_certs() if len(server_certs) == 0: raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0]) # We only handle one server cert self.nickname = server_certs[0][0] self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False) if self.ca_is_configured: dsdb.track_server_cert( self.nickname, self.principal, dsdb.passwd_fname, 'restart_dirsrv %s' % self.serverid) else: cadb = certs.CertDB(self.realm, host_name=self.fqdn, subject_base=self.subject_base) # FIXME, need to set this nickname in the RA plugin cadb.export_ca_cert('ipaCert', False) dsdb.create_from_cacert(cadb.cacert_fname, passwd=None) ca_args = ['/usr/libexec/certmonger/dogtag-submit', '--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn, '--dbdir', paths.HTTPD_ALIAS_DIR, '--nickname', 'ipaCert', '--sslpinfile', paths.ALIAS_PWDFILE_TXT, '--agent-submit'] helper = " ".join(ca_args) prev_helper = certmonger.modify_ca_helper('IPA', helper) try: cmd = 'restart_dirsrv %s' % self.serverid certmonger.request_and_wait_for_cert( nssdb=dirname, nickname=self.nickname, principal=self.principal, passwd_fname=dsdb.passwd_fname, subject=str(DN(('CN', self.fqdn), self.subject_base)), ca='IPA', profile=dogtag.DEFAULT_PROFILE, dns=[self.fqdn], post_command=cmd) finally: certmonger.modify_ca_helper('IPA', prev_helper) self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False) dsdb.create_pin_file() self.cacert_name = dsdb.cacert_name ldap_uri = ipaldap.get_ldap_uri(self.fqdn) conn = ipaldap.LDAPClient(ldap_uri) conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN, bind_password=self.dm_password) mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"), (ldap.MOD_REPLACE, "nsSSL3Ciphers", "default"), (ldap.MOD_REPLACE, "allowWeakCipher", "off")] conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod) mod = [(ldap.MOD_ADD, "nsslapd-security", "on")] conn.modify_s(DN(('cn', 'config')), mod) entry = conn.make_entry( DN(('cn', 'RSA'), ('cn', 'encryption'), ('cn', 'config')), objectclass=["top", "nsEncryptionModule"], cn=["RSA"], nsSSLPersonalitySSL=[self.nickname], nsSSLToken=["internal (software)"], nsSSLActivation=["on"], ) conn.add_entry(entry) conn.unbind() # check for open secure port 636 from now on self.open_ports.append(636)
def __setup_ssl(self): key_passwd_file = paths.HTTPD_PASSWD_FILE_FMT.format(host=api.env.host) with open(key_passwd_file, 'wb') as f: os.fchmod(f.fileno(), 0o600) pkey_passwd = ipautil.ipa_generate_password().encode('utf-8') f.write(pkey_passwd) if self.pkcs12_info: p12_certs, p12_priv_keys = certs.pkcs12_to_certkeys( *self.pkcs12_info) keys_dict = { k.public_key().public_numbers(): k for k in p12_priv_keys } certs_keys = [(c, keys_dict.get(c.public_key().public_numbers())) for c in p12_certs] server_certs_keys = [(c, k) for c, k in certs_keys if k is not None] if not server_certs_keys: raise RuntimeError( "Could not find a suitable server cert in import in %s" % self.pkcs12_info[0]) # We only handle one server cert self.cert = server_certs_keys[0][0] x509.write_certificate(self.cert, paths.HTTPD_CERT_FILE) x509.write_pem_private_key(server_certs_keys[0][1], paths.HTTPD_KEY_FILE, passwd=pkey_passwd) if self.ca_is_configured: self.start_tracking_certificates() self.add_cert_to_service() else: if not self.promote: ca_args = [ paths.CERTMONGER_DOGTAG_SUBMIT, '--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn, '--certfile', paths.RA_AGENT_PEM, '--keyfile', paths.RA_AGENT_KEY, '--cafile', paths.IPA_CA_CRT, '--agent-submit' ] helper = " ".join(ca_args) prev_helper = certmonger.modify_ca_helper('IPA', helper) else: prev_helper = None try: certmonger.request_and_wait_for_cert( certpath=(paths.HTTPD_CERT_FILE, paths.HTTPD_KEY_FILE), principal=self.principal, subject=str(DN(('CN', self.fqdn), self.subject_base)), ca='IPA', profile=dogtag.DEFAULT_PROFILE, dns=[self.fqdn], post_command='restart_httpd', storage='FILE', passwd_fname=key_passwd_file) finally: if prev_helper is not None: certmonger.modify_ca_helper('IPA', prev_helper) self.cert = x509.load_certificate_from_file(paths.HTTPD_CERT_FILE) if prev_helper is not None: self.add_cert_to_service() with open(paths.HTTPD_KEY_FILE, 'rb') as f: priv_key = x509.load_pem_private_key( f.read(), pkey_passwd, backend=x509.default_backend()) # Verify we have a valid server cert if (priv_key.public_key().public_numbers() != self.cert.public_key().public_numbers()): raise RuntimeError( "The public key of the issued HTTPD service certificate " "does not match its private key.") sysupgrade.set_upgrade_state('ssl.conf', 'migrated_to_mod_ssl', True)
def __enable_ssl(self): dirname = config_dirname(self.serverid) dsdb = certs.CertDB(self.realm, nssdir=dirname, subject_base=self.subject_base) if self.pkcs12_info: if self.ca_is_configured: trust_flags = "CT,C,C" else: trust_flags = None dsdb.create_from_pkcs12( self.pkcs12_info[0], self.pkcs12_info[1], ca_file=self.ca_file, trust_flags=trust_flags ) server_certs = dsdb.find_server_certs() if len(server_certs) == 0: raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0]) # We only handle one server cert self.nickname = server_certs[0][0] self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False) if self.ca_is_configured: dsdb.track_server_cert( self.nickname, self.principal, dsdb.passwd_fname, "restart_dirsrv %s" % self.serverid ) else: cadb = certs.CertDB(self.realm, host_name=self.fqdn, subject_base=self.subject_base) # FIXME, need to set this nickname in the RA plugin cadb.export_ca_cert("ipaCert", False) dsdb.create_from_cacert(cadb.cacert_fname, passwd=None) ca_args = [ "/usr/libexec/certmonger/dogtag-submit", "--ee-url", "https://%s:8443/ca/ee/ca" % self.fqdn, "--dbdir", paths.HTTPD_ALIAS_DIR, "--nickname", "ipaCert", "--sslpinfile", paths.ALIAS_PWDFILE_TXT, "--agent-submit", ] helper = " ".join(ca_args) prev_helper = certmonger.modify_ca_helper("IPA", helper) try: cmd = "restart_dirsrv %s" % self.serverid certmonger.request_and_wait_for_cert( certpath=dirname, nickname=self.nickname, principal=self.principal, passwd_fname=dsdb.passwd_fname, subject=str(DN(("CN", self.fqdn), self.subject_base)), ca="IPA", profile=dogtag.DEFAULT_PROFILE, dns=[self.fqdn], post_command=cmd, ) finally: certmonger.modify_ca_helper("IPA", prev_helper) self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False) dsdb.create_pin_file() self.cacert_name = dsdb.cacert_name ldap_uri = ipaldap.get_ldap_uri(self.fqdn) conn = ipaldap.LDAPClient(ldap_uri) conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN, bind_password=self.dm_password) mod = [ (ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"), (ldap.MOD_REPLACE, "nsSSL3Ciphers", "default"), (ldap.MOD_REPLACE, "allowWeakCipher", "off"), ] conn.modify_s(DN(("cn", "encryption"), ("cn", "config")), mod) mod = [(ldap.MOD_ADD, "nsslapd-security", "on")] conn.modify_s(DN(("cn", "config")), mod) entry = conn.make_entry( DN(("cn", "RSA"), ("cn", "encryption"), ("cn", "config")), objectclass=["top", "nsEncryptionModule"], cn=["RSA"], nsSSLPersonalitySSL=[self.nickname], nsSSLToken=["internal (software)"], nsSSLActivation=["on"], ) conn.add_entry(entry) conn.unbind() # check for open secure port 636 from now on self.open_ports.append(636)
def __setup_ssl(self): db = certs.CertDB(self.realm, subject_base=self.subject_base) if self.pkcs12_info: if self.ca_is_configured: trust_flags = 'CT,C,C' else: trust_flags = None db.init_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], ca_file=self.ca_file, trust_flags=trust_flags) server_certs = db.find_server_certs() if len(server_certs) == 0: raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0]) db.create_password_conf() # We only handle one server cert nickname = server_certs[0][0] if nickname == 'ipaCert': nickname = server_certs[1][0] self.dercert = db.get_cert_from_db(nickname, pem=False) if self.ca_is_configured: db.track_server_cert(nickname, self.principal, db.passwd_fname, 'restart_httpd') self.__set_mod_nss_nickname(nickname) self.add_cert_to_service() else: if not self.promote: db.create_password_conf() ca_args = [ '/usr/libexec/certmonger/dogtag-submit', '--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn, '--dbdir', paths.HTTPD_ALIAS_DIR, '--nickname', 'ipaCert', '--sslpinfile', paths.ALIAS_PWDFILE_TXT, '--agent-submit' ] helper = " ".join(ca_args) prev_helper = certmonger.modify_ca_helper('IPA', helper) try: certmonger.request_and_wait_for_cert( certpath=db.secdir, nickname=self.cert_nickname, principal=self.principal, passwd_fname=db.passwd_fname, subject=str(DN(('CN', self.fqdn), self.subject_base)), ca='IPA', profile=dogtag.DEFAULT_PROFILE, dns=[self.fqdn], post_command='restart_httpd') self.dercert = db.get_cert_from_db( self.cert_nickname, pem=False) finally: certmonger.modify_ca_helper('IPA', prev_helper) self.add_cert_to_service() server_certs = db.find_server_certs() if not server_certs: raise RuntimeError("Could not find a suitable server cert.") # We only handle one server cert nickname = server_certs[0][0] db.export_ca_cert(nickname)
def __setup_ssl(self): db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR, subject_base=self.subject_base, user="******", group=constants.HTTPD_GROUP, create=True) self.disable_system_trust() self.create_password_conf() if self.pkcs12_info: if self.ca_is_configured: trust_flags = IPA_CA_TRUST_FLAGS else: trust_flags = EXTERNAL_CA_TRUST_FLAGS db.init_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], ca_file=self.ca_file, trust_flags=trust_flags) server_certs = db.find_server_certs() if len(server_certs) == 0: raise RuntimeError( "Could not find a suitable server cert in import in %s" % self.pkcs12_info[0]) # We only handle one server cert nickname = server_certs[0][0] if nickname == 'ipaCert': nickname = server_certs[1][0] self.cert = db.get_cert_from_db(nickname) if self.ca_is_configured: db.track_server_cert(nickname, self.principal, db.passwd_fname, 'restart_httpd') self.__set_mod_nss_nickname(nickname) self.add_cert_to_service() else: if not self.promote: ca_args = [ paths.CERTMONGER_DOGTAG_SUBMIT, '--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn, '--certfile', paths.RA_AGENT_PEM, '--keyfile', paths.RA_AGENT_KEY, '--cafile', paths.IPA_CA_CRT, '--agent-submit' ] helper = " ".join(ca_args) prev_helper = certmonger.modify_ca_helper('IPA', helper) else: prev_helper = None try: certmonger.request_and_wait_for_cert( certpath=db.secdir, nickname=self.cert_nickname, principal=self.principal, passwd_fname=db.passwd_fname, subject=str(DN(('CN', self.fqdn), self.subject_base)), ca='IPA', profile=dogtag.DEFAULT_PROFILE, dns=[self.fqdn], post_command='restart_httpd') finally: if prev_helper is not None: certmonger.modify_ca_helper('IPA', prev_helper) self.cert = db.get_cert_from_db(self.cert_nickname) if prev_helper is not None: self.add_cert_to_service() # Verify we have a valid server cert server_certs = db.find_server_certs() if not server_certs: raise RuntimeError("Could not find a suitable server cert.") # store the CA cert nickname so that we can publish it later on self.cacert_nickname = db.cacert_name
def __enable_ssl(self): dirname = config_dirname(self.serverid) dsdb = certs.CertDB( self.realm, nssdir=dirname, subject_base=self.subject_base, ca_subject=self.ca_subject, ) if self.pkcs12_info: if self.ca_is_configured: trust_flags = IPA_CA_TRUST_FLAGS else: trust_flags = EXTERNAL_CA_TRUST_FLAGS dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], ca_file=self.ca_file, trust_flags=trust_flags) server_certs = dsdb.find_server_certs() if len(server_certs) == 0: raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0]) # We only handle one server cert self.nickname = server_certs[0][0] self.cert = dsdb.get_cert_from_db(self.nickname) if self.ca_is_configured: dsdb.track_server_cert( self.nickname, self.principal, dsdb.passwd_fname, 'restart_dirsrv %s' % self.serverid) self.add_cert_to_service() else: dsdb.create_from_cacert() if self.master_fqdn is None: ca_args = [ paths.CERTMONGER_DOGTAG_SUBMIT, '--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn, '--certfile', paths.RA_AGENT_PEM, '--keyfile', paths.RA_AGENT_KEY, '--cafile', paths.IPA_CA_CRT, '--agent-submit' ] helper = " ".join(ca_args) prev_helper = certmonger.modify_ca_helper('IPA', helper) else: prev_helper = None try: cmd = 'restart_dirsrv %s' % self.serverid certmonger.request_and_wait_for_cert( certpath=dirname, nickname=self.nickname, principal=self.principal, passwd_fname=dsdb.passwd_fname, subject=str(DN(('CN', self.fqdn), self.subject_base)), ca='IPA', profile=dogtag.DEFAULT_PROFILE, dns=[self.fqdn], post_command=cmd) finally: if prev_helper is not None: certmonger.modify_ca_helper('IPA', prev_helper) # restart_dirsrv in the request above restarts DS, reconnect ldap2 api.Backend.ldap2.disconnect() api.Backend.ldap2.connect() self.cert = dsdb.get_cert_from_db(self.nickname) if prev_helper is not None: self.add_cert_to_service() dsdb.create_pin_file() self.cacert_name = dsdb.cacert_name ldap_uri = ipaldap.get_ldap_uri(self.fqdn) conn = ipaldap.LDAPClient(ldap_uri) conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN, bind_password=self.dm_password) mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"), (ldap.MOD_REPLACE, "nsSSL3Ciphers", "default"), (ldap.MOD_REPLACE, "allowWeakCipher", "off")] conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod) mod = [(ldap.MOD_ADD, "nsslapd-security", "on")] conn.modify_s(DN(('cn', 'config')), mod) entry = conn.make_entry( DN(('cn', 'RSA'), ('cn', 'encryption'), ('cn', 'config')), objectclass=["top", "nsEncryptionModule"], cn=["RSA"], nsSSLPersonalitySSL=[self.nickname], nsSSLToken=["internal (software)"], nsSSLActivation=["on"], ) conn.add_entry(entry) conn.unbind() # check for open secure port 636 from now on self.open_ports.append(636)
def __setup_ssl(self): db = certs.CertDB(self.realm, subject_base=self.subject_base) if self.pkcs12_info: if self.ca_is_configured: trust_flags = 'CT,C,C' else: trust_flags = None db.init_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], ca_file=self.ca_file, trust_flags=trust_flags) server_certs = db.find_server_certs() if len(server_certs) == 0: raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0]) db.create_password_conf() # We only handle one server cert nickname = server_certs[0][0] if nickname == 'ipaCert': nickname = server_certs[1][0] self.dercert = db.get_cert_from_db(nickname, pem=False) if self.ca_is_configured: db.track_server_cert(nickname, self.principal, db.passwd_fname, 'restart_httpd') self.__set_mod_nss_nickname(nickname) self.add_cert_to_service() else: if not self.promote: db.create_password_conf() ca_args = [ '/usr/libexec/certmonger/dogtag-submit', '--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn, '--dbdir', paths.HTTPD_ALIAS_DIR, '--nickname', 'ipaCert', '--sslpinfile', paths.ALIAS_PWDFILE_TXT, '--agent-submit' ] helper = " ".join(ca_args) prev_helper = certmonger.modify_ca_helper('IPA', helper) try: certmonger.request_and_wait_for_cert( nssdb=db.secdir, nickname=self.cert_nickname, principal=self.principal, passwd_fname=db.passwd_fname, subject=str(DN(('CN', self.fqdn), self.subject_base)), ca='IPA', profile=dogtag.DEFAULT_PROFILE, dns=[self.fqdn], post_command='restart_httpd') self.dercert = db.get_cert_from_db( self.cert_nickname, pem=False) finally: certmonger.modify_ca_helper('IPA', prev_helper) self.add_cert_to_service() server_certs = db.find_server_certs() if not server_certs: raise RuntimeError("Could not find a suitable server cert.") # We only handle one server cert nickname = server_certs[0][0] db.export_ca_cert(nickname)
def __setup_ssl(self): key_passwd_file = paths.HTTPD_PASSWD_FILE_FMT.format(host=api.env.host) with open(key_passwd_file, 'wb') as f: os.fchmod(f.fileno(), 0o600) pkey_passwd = ipautil.ipa_generate_password().encode('utf-8') f.write(pkey_passwd) if self.pkcs12_info: p12_certs, p12_priv_keys = certs.pkcs12_to_certkeys( *self.pkcs12_info) keys_dict = { k.public_key().public_numbers(): k for k in p12_priv_keys } certs_keys = [ (c, keys_dict.get(c.public_key().public_numbers())) for c in p12_certs ] server_certs_keys = [ (c, k) for c, k in certs_keys if k is not None ] if not server_certs_keys: raise RuntimeError( "Could not find a suitable server cert in import in %s" % self.pkcs12_info[0] ) # We only handle one server cert self.cert = server_certs_keys[0][0] x509.write_certificate(self.cert, paths.HTTPD_CERT_FILE) x509.write_pem_private_key( server_certs_keys[0][1], paths.HTTPD_KEY_FILE, passwd=pkey_passwd ) if self.ca_is_configured: self.start_tracking_certificates() self.add_cert_to_service() else: if not self.promote: ca_args = [ paths.CERTMONGER_DOGTAG_SUBMIT, '--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn, '--certfile', paths.RA_AGENT_PEM, '--keyfile', paths.RA_AGENT_KEY, '--cafile', paths.IPA_CA_CRT, '--agent-submit' ] helper = " ".join(ca_args) prev_helper = certmonger.modify_ca_helper('IPA', helper) else: prev_helper = None try: certmonger.request_and_wait_for_cert( certpath=(paths.HTTPD_CERT_FILE, paths.HTTPD_KEY_FILE), principal=self.principal, subject=str(DN(('CN', self.fqdn), self.subject_base)), ca='IPA', profile=dogtag.DEFAULT_PROFILE, dns=[self.fqdn], post_command='restart_httpd', storage='FILE', passwd_fname=key_passwd_file ) finally: if prev_helper is not None: certmonger.modify_ca_helper('IPA', prev_helper) self.cert = x509.load_certificate_from_file( paths.HTTPD_CERT_FILE ) if prev_helper is not None: self.add_cert_to_service() with open(paths.HTTPD_KEY_FILE, 'rb') as f: priv_key = x509.load_pem_private_key( f.read(), pkey_passwd, backend=x509.default_backend()) # Verify we have a valid server cert if (priv_key.public_key().public_numbers() != self.cert.public_key().public_numbers()): raise RuntimeError( "The public key of the issued HTTPD service certificate " "does not match its private key.") sysupgrade.set_upgrade_state('ssl.conf', 'migrated_to_mod_ssl', True)
def __setup_ssl(self): db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR, subject_base=self.subject_base, user="******", group=constants.HTTPD_GROUP, create=True) self.disable_system_trust() self.create_password_conf() if self.pkcs12_info: if self.ca_is_configured: trust_flags = IPA_CA_TRUST_FLAGS else: trust_flags = EXTERNAL_CA_TRUST_FLAGS db.init_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], ca_file=self.ca_file, trust_flags=trust_flags) server_certs = db.find_server_certs() if len(server_certs) == 0: raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0]) # We only handle one server cert nickname = server_certs[0][0] if nickname == 'ipaCert': nickname = server_certs[1][0] self.dercert = db.get_cert_from_db(nickname, pem=False) if self.ca_is_configured: db.track_server_cert(nickname, self.principal, db.passwd_fname, 'restart_httpd') self.__set_mod_nss_nickname(nickname) self.add_cert_to_service() else: if not self.promote: ca_args = [ paths.CERTMONGER_DOGTAG_SUBMIT, '--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn, '--certfile', paths.RA_AGENT_PEM, '--keyfile', paths.RA_AGENT_KEY, '--cafile', paths.IPA_CA_CRT, '--agent-submit' ] helper = " ".join(ca_args) prev_helper = certmonger.modify_ca_helper('IPA', helper) else: prev_helper = None try: certmonger.request_and_wait_for_cert( certpath=db.secdir, nickname=self.cert_nickname, principal=self.principal, passwd_fname=db.passwd_fname, subject=str(DN(('CN', self.fqdn), self.subject_base)), ca='IPA', profile=dogtag.DEFAULT_PROFILE, dns=[self.fqdn], post_command='restart_httpd') finally: if prev_helper is not None: certmonger.modify_ca_helper('IPA', prev_helper) self.dercert = db.get_cert_from_db(self.cert_nickname, pem=False) if prev_helper is not None: self.add_cert_to_service() # Verify we have a valid server cert server_certs = db.find_server_certs() if not server_certs: raise RuntimeError("Could not find a suitable server cert.") # store the CA cert nickname so that we can publish it later on self.cacert_nickname = db.cacert_name