def expired_ipa_certs(now): """ Determine which IPA certs are expired, or close to expiry. Return a list of (IPACertType, cert) pairs. """ certs = [] # IPA RA cert = x509.load_certificate_from_file(paths.RA_AGENT_PEM) if cert.not_valid_after <= now: certs.append((IPACertType.IPARA, cert)) # Apache HTTPD cert = x509.load_certificate_from_file(paths.HTTPD_CERT_FILE) if cert.not_valid_after <= now: certs.append((IPACertType.HTTPS, cert)) # LDAPS ds_dbdir = dsinstance.config_dirname(realm_to_serverid(api.env.realm)) db = NSSDatabase(nssdir=ds_dbdir) cert = db.get_cert('Server-Cert') if cert.not_valid_after <= now: certs.append((IPACertType.LDAPS, cert)) # KDC cert = x509.load_certificate_from_file(paths.KDC_CERT) if cert.not_valid_after <= now: certs.append((IPACertType.KDC, cert)) return certs
def expired_dogtag_certs(now): """ Determine which Dogtag certs are expired, or close to expiry. Return a list of (cert_id, cert) pairs. """ certs = [] db = NSSDatabase(nssdir=paths.PKI_TOMCAT_ALIAS_DIR) for certid, nickname in [ ('sslserver', 'Server-Cert cert-pki-ca'), ('subsystem', 'subsystemCert cert-pki-ca'), ('ca_ocsp_signing', 'ocspSigningCert cert-pki-ca'), ('ca_audit_signing', 'auditSigningCert cert-pki-ca'), ('kra_transport', 'transportCert cert-pki-kra'), ('kra_storage', 'storageCert cert-pki-kra'), ('kra_audit_signing', 'auditSigningCert cert-pki-kra'), ]: try: cert = db.get_cert(nickname) except RuntimeError: pass # unfortunately certdb doesn't give us a better exception else: if cert.not_valid_after <= now: certs.append((certid, cert)) return certs
def expired_ipa_certs(now): """ Determine which IPA certs are expired, or close to expiry. Return a list of (IPACertType, cert) pairs. """ certs = [] non_renewed = [] # IPA RA cert = x509.load_certificate_from_file(paths.RA_AGENT_PEM) if cert.not_valid_after <= now: certs.append((IPACertType.IPARA, cert)) # Apache HTTPD cert = x509.load_certificate_from_file(paths.HTTPD_CERT_FILE) if cert.not_valid_after <= now: if not is_ipa_issued_cert(api, cert): non_renewed.append((IPACertType.HTTPS, cert)) else: certs.append((IPACertType.HTTPS, cert)) # LDAPS serverid = realm_to_serverid(api.env.realm) ds = dsinstance.DsInstance(realm_name=api.env.realm) ds_dbdir = dsinstance.config_dirname(serverid) ds_nickname = ds.get_server_cert_nickname(serverid) db = NSSDatabase(nssdir=ds_dbdir) cert = db.get_cert(ds_nickname) if cert.not_valid_after <= now: if not is_ipa_issued_cert(api, cert): non_renewed.append((IPACertType.LDAPS, cert)) else: certs.append((IPACertType.LDAPS, cert)) # KDC cert = x509.load_certificate_from_file(paths.KDC_CERT) if cert.not_valid_after <= now: if not is_ipa_issued_cert(api, cert): non_renewed.append((IPACertType.HTTPS, cert)) else: certs.append((IPACertType.KDC, cert)) return certs, non_renewed
def expired_dogtag_certs(now): """ Determine which Dogtag certs are expired, or close to expiry. Return a list of (cert_id, cert) pairs. """ certs = [] db = NSSDatabase(nssdir=paths.PKI_TOMCAT_ALIAS_DIR) for certid, nickname in cert_nicknames.items(): try: cert = db.get_cert(nickname) except RuntimeError: pass # unfortunately certdb doesn't give us a better exception else: if cert.not_valid_after <= now: certs.append((certid, cert)) return certs