def install_kdc_cert(self):
        ca_cert_file = paths.CA_BUNDLE_PEM
        pkcs12_file, pin, ca_cert = installutils.load_pkcs12(
            cert_files=self.args,
            key_password=self.options.pin,
            key_nickname=self.options.cert_name,
            ca_cert_files=[ca_cert_file],
            realm_name=api.env.realm)

        cdb = certs.CertDB(api.env.realm, nssdir=paths.IPA_NSSDB_DIR)

        # Check that the ca_cert is known and trusted
        with tempfile.NamedTemporaryFile() as temp:
            certs.install_pem_from_p12(pkcs12_file.name, pin, temp.name)

            kdc_cert = x509.load_certificate_from_file(temp.name)
            ca_certs = x509.load_certificate_list_from_file(ca_cert_file)

            try:
                verify_kdc_cert_validity(kdc_cert, ca_certs, api.env.realm)
            except ValueError as e:
                raise admintool.ScriptError(
                    "Peer's certificate issuer is not trusted (%s). "
                    "Please run ipa-cacert-manage install and ipa-certupdate "
                    "to install the CA certificate." % str(e))

        try:
            ca_enabled = api.Command.ca_is_enabled()['result']
            if ca_enabled:
                certmonger.stop_tracking(certfile=paths.KDC_CERT)

            certs.install_pem_from_p12(pkcs12_file.name, pin, paths.KDC_CERT)
            certs.install_key_from_p12(pkcs12_file.name, pin, paths.KDC_KEY)

            if ca_enabled:
                # Start tracking only if the cert was issued by IPA CA
                # Retrieve IPA CA
                ipa_ca_cert = cdb.get_cert_from_db(
                    get_ca_nickname(api.env.realm),
                    pem=False)
                # And compare with the CA which signed this certificate
                if ca_cert == ipa_ca_cert:
                    certmonger.start_tracking(
                        (paths.KDC_CERT, paths.KDC_KEY),
                        storage='FILE',
                        profile='KDCs_PKINIT_Certs')
        except RuntimeError as e:
            raise admintool.ScriptError(str(e))

        krb = krbinstance.KrbInstance()
        krb.init_info(
            realm_name=api.env.realm,
            host_name=api.env.host,
        )
        krb.pkinit_enable()
    def replace_key_cert_files(
        self, cert, key, cert_fname, key_fname, ca_cert, passwd_fname=None,
        profile=None, cmgr_post_command=None
    ):
        try:
            ca_enabled = api.Command.ca_is_enabled()['result']
            if ca_enabled:
                certmonger.stop_tracking(certfile=cert_fname)

            pkey_passwd = None
            if passwd_fname is not None:
                with open(passwd_fname, 'rb') as f:
                    pkey_passwd = f.read()

            x509.write_certificate(cert, cert_fname)
            x509.write_pem_private_key(key, key_fname, pkey_passwd)

            if ca_enabled:
                # Start tracking only if the cert was issued by IPA CA
                # Retrieve IPA CA
                cdb = certs.CertDB(api.env.realm, nssdir=paths.IPA_NSSDB_DIR)
                ipa_ca_cert = cdb.get_cert_from_db(
                    get_ca_nickname(api.env.realm))
                # And compare with the CA which signed this certificate
                if ca_cert == ipa_ca_cert:
                    req_id = certmonger.start_tracking(
                        (cert_fname, key_fname),
                        pinfile=passwd_fname,
                        storage='FILE',
                        post_command=cmgr_post_command
                    )
                    return req_id
        except RuntimeError as e:
            raise admintool.ScriptError(str(e))
        return None
Example #3
0
    def configure_renewal(self):
        """ Configure certmonger to renew system certs """
        pin = self.__get_pin()

        for nickname in self.tracking_reqs:
            try:
                certmonger.start_tracking(
                    certpath=self.nss_db,
                    ca='dogtag-ipa-ca-renew-agent',
                    nickname=nickname,
                    pin=pin,
                    pre_command='stop_pkicad',
                    post_command='renew_ca_cert "%s"' % nickname,
                )
            except RuntimeError as e:
                logger.error(
                    "certmonger failed to start tracking certificate: %s", e)
Example #4
0
 def track_servercert(self):
     """
     Specifically do not tell certmonger to restart the CA. This will be
     done by the renewal script, renew_ca_cert once all the subsystem
     certificates are renewed.
     """
     pin = self.__get_pin()
     try:
         certmonger.start_tracking(
             certpath=self.nss_db,
             ca='dogtag-ipa-ca-renew-agent',
             nickname=self.server_cert_name,
             pin=pin,
             pre_command='stop_pkicad',
             post_command='renew_ca_cert "%s"' % self.server_cert_name)
     except RuntimeError as e:
         logger.error(
             "certmonger failed to start tracking certificate: %s", e)
Example #5
0
 def track_servercert(self):
     """
     Specifically do not tell certmonger to restart the CA. This will be
     done by the renewal script, renew_ca_cert once all the subsystem
     certificates are renewed.
     """
     pin = self.__get_pin()
     try:
         certmonger.start_tracking(
             certpath=self.nss_db,
             ca='dogtag-ipa-ca-renew-agent',
             nickname=self.server_cert_name,
             pin=pin,
             pre_command='stop_pkicad',
             post_command='renew_ca_cert "%s"' % self.server_cert_name)
     except RuntimeError as e:
         logger.error(
             "certmonger failed to start tracking certificate: %s", e)
Example #6
0
    def configure_renewal(self):
        """ Configure certmonger to renew system certs """
        pin = self.__get_pin(self.token_name)

        for nickname in self.tracking_reqs:
            try:
                certmonger.start_tracking(
                    certpath=self.nss_db,
                    ca='dogtag-ipa-ca-renew-agent',
                    nickname=nickname,
                    token_name=self.token_name,
                    pin=pin,
                    pre_command='stop_pkicad',
                    post_command='renew_ca_cert "%s"' % nickname,
                )
            except RuntimeError as e:
                logger.error(
                    "certmonger failed to start tracking certificate: %s", e)
Example #7
0
    def configure_renewal(self):
        """ Configure certmonger to renew system certs """

        for nickname in self.tracking_reqs:
            token_name = self.get_token_name(nickname)
            pin = self.__get_pin(token_name)
            try:
                certmonger.start_tracking(
                    certpath=self.nss_db,
                    ca=RENEWAL_CA_NAME,
                    nickname=nickname,
                    token_name=token_name,
                    pin=pin,
                    pre_command='stop_pkicad',
                    post_command='renew_ca_cert "%s"' % nickname,
                    profile=self.tracking_reqs[nickname],
                )
            except RuntimeError as e:
                logger.error(
                    "certmonger failed to start tracking certificate: %s", e)
Example #8
0
 def start_tracking_certificates(self):
     cert = x509.load_certificate_from_file(paths.HTTPD_CERT_FILE)
     if certs.is_ipa_issued_cert(api, cert):
         request_id = certmonger.start_tracking(
             certpath=(paths.HTTPD_CERT_FILE, paths.HTTPD_KEY_FILE),
             post_command='restart_httpd', storage='FILE'
         )
         subject = str(DN(cert.subject))
         certmonger.add_principal(request_id, self.principal)
         certmonger.add_subject(request_id, subject)
     else:
         logger.debug("Will not track HTTP server cert %s as it is not "
                      "issued by IPA", cert.subject)
Example #9
0
 def start_tracking_certificates(self):
     cert = x509.load_certificate_from_file(paths.HTTPD_CERT_FILE)
     if certs.is_ipa_issued_cert(api, cert):
         request_id = certmonger.start_tracking(
             certpath=(paths.HTTPD_CERT_FILE, paths.HTTPD_KEY_FILE),
             post_command='restart_httpd',
             storage='FILE')
         subject = str(DN(cert.subject))
         certmonger.add_principal(request_id, self.principal)
         certmonger.add_subject(request_id, subject)
     else:
         logger.debug(
             "Will not track HTTP server cert %s as it is not "
             "issued by IPA", cert.subject)
Example #10
0
    def track_server_cert(self, nickname, principal, password_file=None, command=None):
        """
        Tell certmonger to track the given certificate nickname.
        """
        try:
            request_id = certmonger.start_tracking(
                self.secdir, nickname=nickname, pinfile=password_file,
                post_command=command)
        except RuntimeError as e:
            root_logger.error("certmonger failed starting to track certificate: %s" % str(e))
            return

        cert = self.get_cert_from_db(nickname)
        cert_obj = x509.load_certificate(cert)
        subject = str(DN(cert_obj.subject))
        certmonger.add_principal(request_id, principal)
        certmonger.add_subject(request_id, subject)
Example #11
0
    def track_server_cert(self, nickname, principal, password_file=None, command=None):
        """
        Tell certmonger to track the given certificate nickname.
        """
        try:
            request_id = certmonger.start_tracking(
                self.secdir, nickname=nickname, pinfile=password_file,
                post_command=command)
        except RuntimeError as e:
            logger.error("certmonger failed starting to track certificate: %s",
                         str(e))
            return

        cert = self.get_cert_from_db(nickname)
        subject = str(DN(cert.subject))
        certmonger.add_principal(request_id, principal)
        certmonger.add_subject(request_id, subject)
Example #12
0
 def start_tracking_certificates(self):
     key_passwd_file = paths.HTTPD_PASSWD_FILE_FMT.format(host=api.env.host)
     cert = x509.load_certificate_from_file(paths.HTTPD_CERT_FILE)
     if certs.is_ipa_issued_cert(api, cert):
         request_id = certmonger.start_tracking(
             certpath=(paths.HTTPD_CERT_FILE, paths.HTTPD_KEY_FILE),
             post_command='restart_httpd', storage='FILE',
             profile=dogtag.DEFAULT_PROFILE,
             pinfile=key_passwd_file,
             dns=[self.fqdn, f'{IPA_CA_RECORD}.{api.env.domain}'],
         )
         subject = str(DN(cert.subject))
         certmonger.add_principal(request_id, self.principal)
         certmonger.add_subject(request_id, subject)
     else:
         logger.debug("Will not track HTTP server cert %s as it is not "
                      "issued by IPA", cert.subject)
Example #13
0
    def track_server_cert(self, nickname, principal, password_file=None, command=None):
        """
        Tell certmonger to track the given certificate nickname.

        If command is not a full path then it is prefixed with
        /usr/lib[64]/ipa/certmonger.
        """
        if command is not None and not os.path.isabs(command):
            command = paths.CERTMONGER_COMMAND_TEMPLATE % (command)
        try:
            request_id = certmonger.start_tracking(nickname, self.secdir, password_file, command)
        except RuntimeError as e:
            root_logger.error("certmonger failed starting to track certificate: %s" % str(e))
            return

        cert = self.get_cert_from_db(nickname)
        cert_obj = x509.load_certificate(cert)
        subject = str(DN(cert_obj.subject))
        certmonger.add_principal(request_id, principal)
        certmonger.add_subject(request_id, subject)
Example #14
0
    def track_server_cert(self, nickname, principal, password_file=None, command=None):
        """
        Tell certmonger to track the given certificate nickname.

        If command is not a full path then it is prefixed with
        /usr/lib[64]/ipa/certmonger.
        """
        if command is not None and not os.path.isabs(command):
            command = paths.CERTMONGER_COMMAND_TEMPLATE % (command)
        try:
            request_id = certmonger.start_tracking(nickname, self.secdir, password_file, command)
        except RuntimeError as e:
            root_logger.error("certmonger failed starting to track certificate: %s" % str(e))
            return

        cert = self.get_cert_from_db(nickname)
        cert_obj = x509.load_certificate(cert)
        subject = str(DN(cert_obj.subject))
        certmonger.add_principal(request_id, principal)
        certmonger.add_subject(request_id, subject)
    def replace_key_cert_files(self,
                               cert,
                               key,
                               cert_fname,
                               key_fname,
                               ca_cert,
                               passwd_fname=None,
                               profile=None,
                               cmgr_post_command=None):
        try:
            ca_enabled = api.Command.ca_is_enabled()['result']
            if ca_enabled:
                certmonger.stop_tracking(certfile=cert_fname)

            pkey_passwd = None
            if passwd_fname is not None:
                with open(passwd_fname, 'rb') as f:
                    pkey_passwd = f.read()

            x509.write_certificate(cert, cert_fname)
            x509.write_pem_private_key(key, key_fname, pkey_passwd)

            if ca_enabled:
                # Start tracking only if the cert was issued by IPA CA
                # Retrieve IPA CA
                cdb = certs.CertDB(api.env.realm, nssdir=paths.IPA_NSSDB_DIR)
                ipa_ca_cert = cdb.get_cert_from_db(
                    get_ca_nickname(api.env.realm))
                # And compare with the CA which signed this certificate
                if ca_cert == ipa_ca_cert:
                    req_id = certmonger.start_tracking(
                        (cert_fname, key_fname),
                        pinfile=passwd_fname,
                        storage='FILE',
                        post_command=cmgr_post_command)
                    return req_id
        except RuntimeError as e:
            raise admintool.ScriptError(str(e))
        return None