def install_replica_ds(config, options, ca_is_configured, remote_api, ca_file, pkcs12_info=None, fstore=None): dsinstance.check_ports() # if we have a pkcs12 file, create the cert db from # that. Otherwise the ds setup will create the CA # cert if pkcs12_info is None: pkcs12_info = make_pkcs12_info(config.dir, "dscert.p12", "dirsrv_pin.txt") if ca_is_configured: ca_subject = ca.lookup_ca_subject(remote_api, config.subject_base) else: ca_subject = installutils.default_ca_subject_dn(config.subject_base) ds = dsinstance.DsInstance( config_ldif=options.dirsrv_config_file, fstore=fstore) ds.create_replica( realm_name=config.realm_name, master_fqdn=config.master_host_name, fqdn=config.host_name, domain_name=config.domain_name, dm_password=config.dirman_password, subject_base=config.subject_base, ca_subject=ca_subject, pkcs12_info=pkcs12_info, ca_is_configured=ca_is_configured, ca_file=ca_file, api=remote_api, setup_pkinit=not options.no_pkinit, ) return ds
def install_replica_ds(config, options, ca_is_configured, remote_api, ca_file, pkcs12_info=None, fstore=None): dsinstance.check_ports() # if we have a pkcs12 file, create the cert db from # that. Otherwise the ds setup will create the CA # cert if pkcs12_info is None: pkcs12_info = make_pkcs12_info(config.dir, "dscert.p12", "dirsrv_pin.txt") if ca_is_configured: ca_subject = ca.lookup_ca_subject(remote_api, config.subject_base) else: ca_subject = installutils.default_ca_subject_dn(config.subject_base) ds = dsinstance.DsInstance( config_ldif=options.dirsrv_config_file, fstore=fstore) ds.create_replica( realm_name=config.realm_name, master_fqdn=config.master_host_name, fqdn=config.host_name, domain_name=config.domain_name, dm_password=config.dirman_password, subject_base=config.subject_base, ca_subject=ca_subject, pkcs12_info=pkcs12_info, ca_is_configured=ca_is_configured, ca_file=ca_file, api=remote_api, setup_pkinit=not options.no_pkinit, ) return ds
def install(api, replica_config, options, custodia): if replica_config is None: if not options.setup_kra: return realm_name = api.env.realm dm_password = options.dm_password host_name = api.env.host subject_base = dsinstance.DsInstance().find_subject_base() pkcs12_info = None master_host = None promote = False else: if not replica_config.setup_kra: return krafile = os.path.join(replica_config.dir, 'kracert.p12') with ipautil.private_ccache(): ccache = os.environ['KRB5CCNAME'] kinit_keytab( 'host/{env.host}@{env.realm}'.format(env=api.env), paths.KRB5_KEYTAB, ccache) custodia.get_kra_keys( krafile, replica_config.dirman_password) realm_name = replica_config.realm_name dm_password = replica_config.dirman_password host_name = replica_config.host_name subject_base = replica_config.subject_base pkcs12_info = (krafile,) master_host = replica_config.kra_host_name promote = True ca_subject = ca.lookup_ca_subject(api, subject_base) kra = krainstance.KRAInstance(realm_name) kra.configure_instance( realm_name, host_name, dm_password, dm_password, subject_base=subject_base, ca_subject=ca_subject, pkcs12_info=pkcs12_info, master_host=master_host, promote=promote, pki_config_override=options.pki_config_override, ) _service.print_msg("Restarting the directory server") ds = dsinstance.DsInstance() ds.restart() kra.enable_client_auth_to_db() # Restart apache for new proxy config file services.knownservices.httpd.restart(capture_output=True) # Restarted named to restore bind-dyndb-ldap operation, see # https://pagure.io/freeipa/issue/5813 named = services.knownservices.named # alias for current named if named.is_running(): named.restart(capture_output=True)
def export_certdb(self, fname, passwd_fname): """Export a cert database :param fname: The file to export to (relative to the info directory) :param passwd_fname: File that holds the cert DB password """ hostname = self.replica_fqdn subject_base = self.subject_base ca_subject = ca.lookup_ca_subject(api, subject_base) nickname = "Server-Cert" try: db = certs.CertDB(api.env.realm, nssdir=self.dir, host_name=api.env.host, subject_base=subject_base, ca_subject=ca_subject) db.create_passwd_file() db.create_from_cacert() db.create_server_cert(nickname, hostname) pkcs12_fname = os.path.join(self.dir, fname + ".p12") try: db.export_pkcs12(pkcs12_fname, passwd_fname, nickname) except ipautil.CalledProcessError as e: logger.info("error exporting Server certificate: %s", e) installutils.remove_file(pkcs12_fname) installutils.remove_file(passwd_fname) self.remove_info_file("cert8.db") self.remove_info_file("key3.db") self.remove_info_file("secmod.db") self.remove_info_file("noise.txt") orig_filename = passwd_fname + ".orig" if ipautil.file_exists(orig_filename): installutils.remove_file(orig_filename) except errors.CertificateOperationError as e: raise admintool.ScriptError(str(e))
def export_certdb(self, fname, passwd_fname): """Export a cert database :param fname: The file to export to (relative to the info directory) :param passwd_fname: File that holds the cert DB password """ hostname = self.replica_fqdn subject_base = self.subject_base ca_subject = ca.lookup_ca_subject(api, subject_base) nickname = "Server-Cert" try: db = certs.CertDB( api.env.realm, nssdir=self.dir, host_name=api.env.host, subject_base=subject_base, ca_subject=ca_subject) db.create_passwd_file() db.create_from_cacert() db.create_server_cert(nickname, hostname) pkcs12_fname = os.path.join(self.dir, fname + ".p12") try: db.export_pkcs12(pkcs12_fname, passwd_fname, nickname) except ipautil.CalledProcessError as e: logger.info("error exporting Server certificate: %s", e) installutils.remove_file(pkcs12_fname) installutils.remove_file(passwd_fname) self.remove_info_file("cert8.db") self.remove_info_file("key3.db") self.remove_info_file("secmod.db") self.remove_info_file("noise.txt") orig_filename = passwd_fname + ".orig" if ipautil.file_exists(orig_filename): installutils.remove_file(orig_filename) except errors.CertificateOperationError as e: raise admintool.ScriptError(str(e))
def run(self): if not is_ipa_configured(): print("IPA is not configured.") return 2 if not cainstance.is_ca_installed_locally(): print("CA is not installed on this server.") return 1 try: ipautil.run(['pki-server', 'cert-fix', '--help'], raiseonerr=True) except ipautil.CalledProcessError: print( "The 'pki-server cert-fix' command is not available; " "cannot proceed." ) return 1 api.bootstrap(in_server=True, confdir=paths.ETC_IPA) api.finalize() api.Backend.ldap2.connect() # ensure DS is up subject_base = dsinstance.DsInstance().find_subject_base() if not subject_base: raise RuntimeError("Cannot determine certificate subject base.") ca_subject_dn = ca.lookup_ca_subject(api, subject_base) now = datetime.datetime.now() + datetime.timedelta(weeks=2) certs, extra_certs = expired_certs(now) if not certs and not extra_certs: print("Nothing to do.") return 0 print(msg) print_intentions(certs, extra_certs) response = ipautil.user_input('Enter "yes" to proceed') if response.lower() != 'yes': print("Not proceeding.") return 0 print("Proceeding.") try: run_cert_fix(certs, extra_certs) except ipautil.CalledProcessError: if any(x[0] is IPACertType.LDAPS for x in extra_certs): # The DS cert was expired. This will cause # 'pki-server cert-fix' to fail at the final # restart. Therefore ignore the CalledProcessError # and proceed to installing the IPA-specific certs. pass else: raise # otherwise re-raise replicate_dogtag_certs(subject_base, ca_subject_dn, certs) install_ipa_certs(subject_base, ca_subject_dn, extra_certs) if any(x[0] != 'sslserver' for x in certs) \ or any(x[0] is IPACertType.IPARA for x in extra_certs): # we renewed a "shared" certificate, therefore we must # become the renewal master print("Becoming renewal master.") cainstance.CAInstance().set_renewal_master() ipautil.run(['ipactl', 'restart'], raiseonerr=True) return 0
def run(self): if not is_ipa_configured(): print("IPA is not configured.") return 2 if not cainstance.is_ca_installed_locally(): print("CA is not installed on this server.") return 1 try: ipautil.run(['pki-server', 'cert-fix', '--help'], raiseonerr=True) except ipautil.CalledProcessError: print("The 'pki-server cert-fix' command is not available; " "cannot proceed.") return 1 api.bootstrap(in_server=True, confdir=paths.ETC_IPA) api.finalize() if not dsinstance.is_ds_running(realm_to_serverid(api.env.realm)): print("The LDAP server is not running; cannot proceed.") return 1 api.Backend.ldap2.connect() # ensure DS is up subject_base = dsinstance.DsInstance().find_subject_base() if not subject_base: raise RuntimeError("Cannot determine certificate subject base.") ca_subject_dn = ca.lookup_ca_subject(api, subject_base) now = datetime.datetime.now() + datetime.timedelta(weeks=2) certs, extra_certs, non_renewed = expired_certs(now) if not certs and not extra_certs: print("Nothing to do.") return 0 print(msg) print_intentions(certs, extra_certs, non_renewed) response = ipautil.user_input('Enter "yes" to proceed') if response.lower() != 'yes': print("Not proceeding.") return 0 print("Proceeding.") try: fix_certreq_directives(certs) run_cert_fix(certs, extra_certs) except ipautil.CalledProcessError: if any(x[0] is IPACertType.LDAPS for x in extra_certs + non_renewed): # The DS cert was expired. This will cause 'pki-server # cert-fix' to fail at the final restart, and return nonzero. # So this exception *might* be OK to ignore. # # If 'pki-server cert-fix' has written new certificates # corresponding to all the extra_certs, then ignore the # CalledProcessError and proceed to installing the IPA-specific # certs. Otherwise re-raise. if check_renewed_ipa_certs(extra_certs): pass else: raise else: raise # otherwise re-raise replicate_dogtag_certs(subject_base, ca_subject_dn, certs) install_ipa_certs(subject_base, ca_subject_dn, extra_certs) if any(x[0] != 'sslserver' for x in certs) \ or any(x[0] is IPACertType.IPARA for x in extra_certs): # we renewed a "shared" certificate, therefore we must # become the renewal master print("Becoming renewal master.") cainstance.CAInstance().set_renewal_master() print("Restarting IPA") ipautil.run(['ipactl', 'restart'], raiseonerr=True) print(renewal_note) return 0