def stop_tracking_certificates(self, stop_certmonger=True):
"""Stop tracking our certificates. Called on uninstall.
"""
logger.debug(
"Configuring certmonger to stop tracking system certificates "
"for %s", self.subsystem)
cmonger = services.knownservices.certmonger
services.knownservices.dbus.start()
cmonger.start()
nicknames = list(self.tracking_reqs)
if self.server_cert_name is not None:
nicknames.append(self.server_cert_name)
for nickname in nicknames:
try:
certmonger.stop_tracking(
self.nss_db, nickname=nickname)
except RuntimeError as e:
logger.error(
"certmonger failed to stop tracking certificate: %s", e)
if stop_certmonger:
cmonger.stop()
def replace_key_cert_files(
self, cert, key, cert_fname, key_fname, ca_cert,
profile=None, cmgr_post_command=None
):
try:
ca_enabled = api.Command.ca_is_enabled()['result']
if ca_enabled:
certmonger.stop_tracking(certfile=cert_fname)
x509.write_certificate(cert, cert_fname)
x509.write_pem_private_key(key, key_fname)
if ca_enabled:
# Start tracking only if the cert was issued by IPA CA
# Retrieve IPA CA
cdb = certs.CertDB(api.env.realm, nssdir=paths.IPA_NSSDB_DIR)
ipa_ca_cert = cdb.get_cert_from_db(
get_ca_nickname(api.env.realm))
# And compare with the CA which signed this certificate
if ca_cert == ipa_ca_cert:
req_id = certmonger.start_tracking(
(cert_fname, key_fname),
storage='FILE',
post_command=cmgr_post_command
)
return req_id
except RuntimeError as e:
raise admintool.ScriptError(str(e))
def replace_key_cert_files(
self, cert, key, cert_fname, key_fname, ca_cert, passwd_fname=None,
profile=None, cmgr_post_command=None
):
try:
ca_enabled = api.Command.ca_is_enabled()['result']
if ca_enabled:
certmonger.stop_tracking(certfile=cert_fname)
pkey_passwd = None
if passwd_fname is not None:
with open(passwd_fname, 'rb') as f:
pkey_passwd = f.read()
x509.write_certificate(cert, cert_fname)
x509.write_pem_private_key(key, key_fname, pkey_passwd)
if ca_enabled:
# Start tracking only if the cert was issued by IPA CA
# Retrieve IPA CA
cdb = certs.CertDB(api.env.realm, nssdir=paths.IPA_NSSDB_DIR)
ipa_ca_cert = cdb.get_cert_from_db(
get_ca_nickname(api.env.realm))
# And compare with the CA which signed this certificate
if ca_cert == ipa_ca_cert:
req_id = certmonger.start_tracking(
(cert_fname, key_fname),
pinfile=passwd_fname,
storage='FILE',
post_command=cmgr_post_command
)
return req_id
except RuntimeError as e:
raise admintool.ScriptError(str(e))
return None
def stop_tracking_certificates(self, stop_certmonger=True):
"""Stop tracking our certificates. Called on uninstall.
"""
logger.debug(
"Configuring certmonger to stop tracking system certificates "
"for %s", self.subsystem)
cmonger = services.knownservices.certmonger
if not services.knownservices.dbus.is_running():
# some platforms protect dbus with RefuseManualStart=True
services.knownservices.dbus.start()
cmonger.start()
nicknames = list(self.tracking_reqs)
if self.server_cert_name is not None:
nicknames.append(self.server_cert_name)
for nickname in nicknames:
try:
certmonger.stop_tracking(
self.nss_db, nickname=nickname)
except RuntimeError as e:
logger.error(
"certmonger failed to stop tracking certificate: %s", e)
if stop_certmonger:
cmonger.stop()
def stop_tracking_certificates(self, stop_certmonger=True):
"""Stop tracking our certificates. Called on uninstall.
"""
self.print_msg(
"Configuring certmonger to stop tracking system certificates "
"for %s" % self.subsystem)
cmonger = services.knownservices.certmonger
services.knownservices.messagebus.start()
cmonger.start()
nicknames = [nickname for nickname, _profile in self.tracking_reqs]
if self.server_cert_name is not None:
nicknames.append(self.server_cert_name)
for nickname in nicknames:
try:
certmonger.stop_tracking(
self.nss_db, nickname=nickname)
except RuntimeError as e:
self.log.error(
"certmonger failed to stop tracking certificate: %s", e)
if stop_certmonger:
cmonger.stop()
def stop_tracking_certificates(self, stop_certmonger=True):
"""
Stop tracking our certificates. Called on uninstall. Also called
during upgrade to fix discrepancies.
"""
logger.debug(
"Configuring certmonger to stop tracking system certificates "
"for %s", self.subsystem)
cmonger = services.knownservices.certmonger
if not services.knownservices.dbus.is_running():
# some platforms protect dbus with RefuseManualStart=True
services.knownservices.dbus.start()
cmonger.start()
for nickname in self.tracking_reqs:
try:
certmonger.stop_tracking(self.nss_db, nickname=nickname)
except RuntimeError as e:
logger.error(
"certmonger failed to stop tracking certificate: %s", e)
if stop_certmonger:
cmonger.stop()
def untrack_server_cert(self, nickname):
"""
Tell certmonger to stop tracking the given certificate nickname.
"""
try:
certmonger.stop_tracking(self.secdir, nickname=nickname)
except RuntimeError as e:
root_logger.error("certmonger failed to stop tracking certificate: %s" % str(e))
def untrack_server_cert(self, nickname):
"""
Tell certmonger to stop tracking the given certificate nickname.
"""
try:
certmonger.stop_tracking(self.secdir, nickname=nickname)
except RuntimeError as e:
root_logger.error("certmonger failed to stop tracking certificate: %s" % str(e))
def install_kdc_cert(self):
ca_cert_file = paths.CA_BUNDLE_PEM
pkcs12_file, pin, ca_cert = installutils.load_pkcs12(
cert_files=self.args,
key_password=self.options.pin,
key_nickname=self.options.cert_name,
ca_cert_files=[ca_cert_file],
realm_name=api.env.realm)
cdb = certs.CertDB(api.env.realm, nssdir=paths.IPA_NSSDB_DIR)
# Check that the ca_cert is known and trusted
with tempfile.NamedTemporaryFile() as temp:
certs.install_pem_from_p12(pkcs12_file.name, pin, temp.name)
kdc_cert = x509.load_certificate_from_file(temp.name)
ca_certs = x509.load_certificate_list_from_file(ca_cert_file)
try:
verify_kdc_cert_validity(kdc_cert, ca_certs, api.env.realm)
except ValueError as e:
raise admintool.ScriptError(
"Peer's certificate issuer is not trusted (%s). "
"Please run ipa-cacert-manage install and ipa-certupdate "
"to install the CA certificate." % str(e))
try:
ca_enabled = api.Command.ca_is_enabled()['result']
if ca_enabled:
certmonger.stop_tracking(certfile=paths.KDC_CERT)
certs.install_pem_from_p12(pkcs12_file.name, pin, paths.KDC_CERT)
certs.install_key_from_p12(pkcs12_file.name, pin, paths.KDC_KEY)
if ca_enabled:
# Start tracking only if the cert was issued by IPA CA
# Retrieve IPA CA
ipa_ca_cert = cdb.get_cert_from_db(
get_ca_nickname(api.env.realm),
pem=False)
# And compare with the CA which signed this certificate
if ca_cert == ipa_ca_cert:
certmonger.start_tracking(
(paths.KDC_CERT, paths.KDC_KEY),
storage='FILE',
profile='KDCs_PKINIT_Certs')
except RuntimeError as e:
raise admintool.ScriptError(str(e))
krb = krbinstance.KrbInstance()
krb.init_info(
realm_name=api.env.realm,
host_name=api.env.host,
)
krb.pkinit_enable()
def install_kdc_cert(self):
ca_cert_file = paths.CA_BUNDLE_PEM
pkcs12_file, pin, ca_cert = installutils.load_pkcs12(
cert_files=self.args,
key_password=self.options.pin,
key_nickname=self.options.cert_name,
ca_cert_files=[ca_cert_file],
realm_name=api.env.realm)
cdb = certs.CertDB(api.env.realm, nssdir=paths.IPA_NSSDB_DIR)
# Check that the ca_cert is known and trusted
with tempfile.NamedTemporaryFile() as temp:
certs.install_pem_from_p12(pkcs12_file.name, pin, temp.name)
kdc_cert = x509.load_certificate_from_file(temp.name)
ca_certs = x509.load_certificate_list_from_file(ca_cert_file)
try:
verify_kdc_cert_validity(kdc_cert, ca_certs, api.env.realm)
except ValueError as e:
raise admintool.ScriptError(
"Peer's certificate issuer is not trusted (%s). "
"Please run ipa-cacert-manage install and ipa-certupdate "
"to install the CA certificate." % str(e))
try:
ca_enabled = api.Command.ca_is_enabled()['result']
if ca_enabled:
certmonger.stop_tracking(certfile=paths.KDC_CERT)
certs.install_pem_from_p12(pkcs12_file.name, pin, paths.KDC_CERT)
certs.install_key_from_p12(pkcs12_file.name, pin, paths.KDC_KEY)
if ca_enabled:
# Start tracking only if the cert was issued by IPA CA
# Retrieve IPA CA
ipa_ca_cert = cdb.get_cert_from_db(get_ca_nickname(
api.env.realm),
pem=False)
# And compare with the CA which signed this certificate
if ca_cert == ipa_ca_cert:
certmonger.start_tracking((paths.KDC_CERT, paths.KDC_KEY),
storage='FILE',
profile='KDCs_PKINIT_Certs')
except RuntimeError as e:
raise admintool.ScriptError(str(e))
krb = krbinstance.KrbInstance()
krb.init_info(
realm_name=api.env.realm,
host_name=api.env.host,
)
krb.pkinit_enable()
def execute(self, **options):
ca_enabled = self.api.Command.ca_is_enabled()['result']
if not ca_enabled:
return False, []
olddb = certdb.NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR)
if not olddb.has_nickname('ipaCert'):
# Nothign to do
return False, []
newdb = certdb.NSSDatabase(nssdir=paths.IPA_RADB_DIR)
if os.path.exists(paths.IPA_RADB_DIR):
if newdb.has_nickname('ipaCert'):
self.log.warning(
"An 'ipaCert' nickname exists in both the old {} and the "
"new {} NSS Databases!".format(paths.HTTPD_ALIAS_DIR,
paths.IPA_RADB_DIR))
return False, []
else:
# Create the DB
newdb.create_db(user=IPAAPI_USER, group=IPAAPI_GROUP, backup=True)
# Import cert chain (ignore errors, as certs may already be imported)
certlist = olddb.list_certs()
certflags = {}
for name, flags in certlist:
certflags[name] = flags
for name in olddb.get_trust_chain('ipaCert'):
if name == 'ipaCert':
continue
try:
cert = olddb.get_cert(name, pem=True)
newdb.add_cert(cert, name, certflags[name], pem=True)
except Exception as e: # pylint disable=broad-except
self.log.warning("Failed to import '{}' from trust "
"chain: {}".format(name, str(e)))
# As the last step export/import/delete the RA Cert
pw = binascii.hexlify(os.urandom(10))
p12file = os.path.join(paths.IPA_RADB_DIR, 'ipaCert.p12')
olddb.export_pkcs12('ipaCert', p12file, pw)
newdb.import_pkcs12(p12file, pw)
certmonger.stop_tracking(secdir=olddb.secdir, nickname='ipaCert')
certmonger.start_tracking(secdir=newdb.secdir,
nickname='ipaCert',
password_file=newdb.pwd_file)
olddb.delete_cert('ipaCert')
return False, []
def execute(self, **options):
ra_nick = 'ipaCert'
ca_enabled = self.api.Command.ca_is_enabled()['result']
if not ca_enabled:
return False, []
try:
certdb = NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR)
except ValueError as e:
logger.warning("Problem opening NSS database in "
"%s. Skipping check for existing RA "
"agent certificate: %s", paths.HTTPD_ALIAS_DIR, e)
return False, []
if not certdb.has_nickname(ra_nick):
# Nothign to do
return False, []
elif os.path.exists(paths.RA_AGENT_PEM):
# even though the certificate file exists, we will overwrite it
# as it's probabably something wrong anyway
logger.warning(
"A certificate with the nickname 'ipaCert' exists in "
"the old '%s' NSS database as well as in the new "
"PEM file '%s'",
paths.HTTPD_ALIAS_DIR, paths.RA_AGENT_PEM)
_fd, p12file = tempfile.mkstemp(dir=certdb.secdir)
# no password is necessary as we will be saving it in clear anyway
certdb.export_pkcs12(ra_nick, p12file, pkcs12_passwd='')
# stop tracking the old cert and remove it
certmonger.stop_tracking(paths.HTTPD_ALIAS_DIR, nickname=ra_nick)
certdb.delete_key_and_cert(ra_nick)
if os.path.exists(paths.OLD_KRA_AGENT_PEM):
os.remove(paths.OLD_KRA_AGENT_PEM)
# get the private key and certificate from the file and start
# tracking it in certmonger
ca = cainstance.CAInstance()
ca.import_ra_cert(p12file)
os.remove(p12file)
return False, []
def execute(self, **options):
ra_nick = 'ipaCert'
ca_enabled = self.api.Command.ca_is_enabled()['result']
if not ca_enabled:
return False, []
certdb = NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR)
if not certdb.has_nickname(ra_nick):
# Nothign to do
return False, []
elif os.path.exists(paths.RA_AGENT_PEM):
# even though the certificate file exists, we will overwrite it
# as it's probabably something wrong anyway
self.log.warning(
"A certificate with the nickname 'ipaCert' exists in "
"the old '{}' NSS database as well as in the new "
"PEM file '{}'"
.format(paths.HTTPD_ALIAS_DIR, paths.RA_AGENT_PEM))
_fd, p12file = tempfile.mkstemp(dir=certdb.secdir)
# no password is necessary as we will be saving it in clear anyway
certdb.export_pkcs12(ra_nick, p12file, pkcs12_passwd='')
# stop tracking the old cert and remove it
certmonger.stop_tracking(paths.HTTPD_ALIAS_DIR, nickname=ra_nick)
certdb.delete_cert(ra_nick)
if os.path.exists(paths.OLD_KRA_AGENT_PEM):
os.remove(paths.OLD_KRA_AGENT_PEM)
# get the private key and certificate from the file and start
# tracking it in certmonger
ca = cainstance.CAInstance()
ca.import_ra_cert(p12file)
os.remove(p12file)
return False, []
def stop_tracking_certs(self):
certmonger.stop_tracking(certfile=paths.KDC_CERT)
def stop_tracking_certificates(self):
try:
certmonger.stop_tracking(certfile=paths.HTTPD_CERT_FILE)
except RuntimeError as e:
logger.error("certmonger failed to stop tracking certificate: %s",
str(e))
def stop_tracking_certs(self):
certmonger.stop_tracking(certfile=paths.KDC_CERT)
def stop_tracking_certificates(self):
try:
certmonger.stop_tracking(certfile=paths.HTTPD_CERT_FILE)
except RuntimeError as e:
logger.error("certmonger failed to stop tracking certificate: %s",
str(e))