On 04/10/2012 04:48 PM, Martin Kosek wrote: > On Fri, 2012-04-06 at 10:22 +0200, Martin Kosek wrote: >> On Thu, 2012-04-05 at 16:47 -0400, Rob Crittenden wrote: >>> Rob Crittenden wrote: >>>> Martin Kosek wrote: >>>>> On Tue, 2012-04-03 at 10:45 -0400, Rob Crittenden wrote: >>>>>> Rob Crittenden wrote: >>>>>>> Martin Kosek wrote: >>>>>>>> On Mon, 2012-04-02 at 15:36 -0400, Rob Crittenden wrote: >>>>>>>>> Rob Crittenden wrote: >>>>>>>>>> Martin Kosek wrote: >>>>>>>>>>> On Tue, 2012-03-27 at 17:40 -0400, Rob Crittenden wrote: >>>>>>>>>>>> Certmonger will currently automatically renew server >>>>>>>>>>>> certificates but >>>>>>>>>>>> doesn't restart the services so you can still end up with expired >>>>>>>>>>>> certificates if you services never restart. >>>>>>>>>>>> >>>>>>>>>>>> This patch registers are restart command with certmonger so the >>>>>>>>>>>> IPA >>>>>>>>>>>> services will automatically be restarted to get the updated cert. >>>>>>>>>>>> >>>>>>>>>>>> Easy to test. Install IPA then resubmit the current server >>>>>>>>>>>> certs and >>>>>>>>>>>> watch the services restart: >>>>>>>>>>>> >>>>>>>>>>>> # ipa-getcert list >>>>>>>>>>>> >>>>>>>>>>>> Find the ID for either your dirsrv or httpd instance >>>>>>>>>>>> >>>>>>>>>>>> # ipa-getcert resubmit -i<ID> >>>>>>>>>>>> >>>>>>>>>>>> Watch /var/log/httpd/error_log or >>>>>>>>>>>> /var/log/dirsrv/slapd-INSTANCE/errors >>>>>>>>>>>> to see the service restart. >>>>>>>>>>>> >>>>>>>>>>>> rob >>>>>>>>>>> What about current instances - can we/do we want to update >>>>>>>>>>> certmonger >>>>>>>>>>> tracking so that their instances are restarted as well? >>>>>>>>>>> >>>>>>>>>>> Anyway, I found few issues SELinux issues with the patch: >>>>>>>>>>> >>>>>>>>>>> 1) # rpm -Uvh freeipa-* >>>>>>>>>>> Preparing... ########################################### [100%] >>>>>>>>>>> 1:freeipa-python ########################################### [ 20%] >>>>>>>>>>> 2:freeipa-client ########################################### [ 40%] >>>>>>>>>>> 3:freeipa-admintools ########################################### [ >>>>>>>>>>> 60%] >>>>>>>>>>> 4:freeipa-server ########################################### [ 80%] >>>>>>>>>>> /usr/bin/chcon: failed to change context of >>>>>>>>>>> `/usr/lib64/ipa/certmonger' to >>>>>>>>>>> `unconfined_u:object_r:certmonger_unconfined_exec_t:s0': Invalid >>>>>>>>>>> argument >>>>>>>>>>> /usr/bin/chcon: failed to change context of >>>>>>>>>>> `/usr/lib64/ipa/certmonger/restart_dirsrv' to >>>>>>>>>>> `unconfined_u:object_r:certmonger_unconfined_exec_t:s0': Invalid >>>>>>>>>>> argument >>>>>>>>>>> /usr/bin/chcon: failed to change context of >>>>>>>>>>> `/usr/lib64/ipa/certmonger/restart_httpd' to >>>>>>>>>>> `unconfined_u:object_r:certmonger_unconfined_exec_t:s0': Invalid >>>>>>>>>>> argument >>>>>>>>>>> warning: %post(freeipa-server-2.1.90GIT5b895af-0.fc16.x86_64) >>>>>>>>>>> scriptlet failed, exit status 1 >>>>>>>>>>> 5:freeipa-server-selinux >>>>>>>>>>> ########################################### >>>>>>>>>>> [100%] >>>>>>>>>>> >>>>>>>>>>> certmonger_unconfined_exec_t type was unknown with my selinux >>>>>>>>>>> policy: >>>>>>>>>>> >>>>>>>>>>> selinux-policy-3.10.0-80.fc16.noarch >>>>>>>>>>> selinux-policy-targeted-3.10.0-80.fc16.noarch >>>>>>>>>>> >>>>>>>>>>> If we need a higher SELinux version, we should bump the required >>>>>>>>>>> package >>>>>>>>>>> version spec file. >>>>>>>>>> Yeah, waiting on it to be backported. >>>>>>>>>> >>>>>>>>>>> 2) Change of SELinux context with /usr/bin/chcon is temporary until >>>>>>>>>>> restorecon or system relabel occurs. I think we should make it >>>>>>>>>>> persistent and enforce this type in our SELinux policy and >>>>>>>>>>> rather call >>>>>>>>>>> restorecon instead of chcon >>>>>>>>>> That's a good idea, why didn't I think of that :-( >>>>>>>>> Ah, now I remember, it will be handled by selinux-policy. I would >>>>>>>>> have >>>>>>>>> used restorecon here but since the policy isn't there yet this seemed >>>>>>>>> like a good idea. >>>>>>>>> >>>>>>>>> I'm trying to find out the status of this new policy, it may only >>>>>>>>> make >>>>>>>>> it into F-17. >>>>>>>>> >>>>>>>>> rob >>>>>>>> Ok. But if this policy does not go in F-16 and if we want this fix in >>>>>>>> F16 release too, I guess we would have to implement both approaches in >>>>>>>> our spec file: >>>>>>>> >>>>>>>> 1) When on F16, include SELinux policy for restart scripts + run >>>>>>>> restorecon >>>>>>>> 2) When on F17, do not include the SELinux policy (+ run restorecon) >>>>>>>> >>>>>>>> Martin >>>>>>>> >>>>>>> Won't work without updated selinux-policy. Without the permission for >>>>>>> certmonger to execute the commands things will still fail (just in >>>>>>> really non-obvious and far in the future ways). >>>>>>> >>>>>>> It looks like this is fixed in F-17 selinux-policy-3.10.0-107. >>>>>>> >>>>>>> rob >>>>>> Updated patch which works on F-17. >>>>>> >>>>>> rob >>>>> What about F-16? The restart scripts won't work with enabled enforcing >>>>> and will raise AVCs. Maybe we really need to deliver our own SELinux >>>>> policy allowing it on F-16. >>>> Right, I don't see this working on F-16. I don't really want to carry >>>> this type of policy. It goes beyond marking a few files as certmonger_t, >>>> it is going to let certmonger execute arbitrary scripts. This is best >>>> left to the SELinux team who understand the consequences better. >>>> >>>>> I also found an issue with the restart scripts: >>>>> >>>>> 1) restart_dirsrv: this won't work with systemd: >>>>> >>>>> # /sbin/service dirsrv restart >>>>> Redirecting to /bin/systemctl restart dirsrv.service >>>>> Failed to issue method call: Unit dirsrv.service failed to load: No such >>>>> file or directory. See system logs and 'systemctl status dirsrv.service' >>>>> for details. >>>> Wouldn't work so hot for sysV either as we'd be restarting all >>>> instances. I'll take a look. >>>> >>>>> We would need to pass an instance of IPA dirsrv for this to work. >>>>> >>>>> 2) restart_httpd: >>>>> Is reload enough for httpd to pull a new certificate? Don't we need a >>>>> full restart? If reload is enough, I think the command should be named >>>>> reload_httpd >>>> Yes, it causes the modules to be reloaded which will reload the NSS >>>> database, that's all we need. I named it this way for consistency. I can >>>> rename it, though I doubt it would cause any confusion either way. >>>> >>>> rob >>> revised patch. >>> >>> rob >> Thanks, this is better, dirsrv restart is now fixed. I still have few >> issues: >> >> 1) Wrong command for httpd certs (should be reload_httpd): >> >> - db.track_server_cert(nickname, self.principal, >> db.passwd_fname) >> + db.track_server_cert(nickname, self.principal, >> db.passwd_fname, 'restart_httpd') >> >> - db.track_server_cert("Server-Cert", self.principal, >> db.passwd_fname) >> + db.track_server_cert("Server-Cert", self.principal, >> db.passwd_fname, 'restart_httpd') >> >> >> 2) What about current certmonger monitored certs? We can use the command >> Nalin suggested to modify existing monitored certs to set up a restart >> command: >> >> # ipa-getcert list >> ... >> Request ID '20120404083924': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM >> subject: CN=vm-079.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM >> expires: 2014-04-05 08:39:24 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> command: >> track: yes >> auto-renew: yes >> >> # ipa-getcert start-tracking -i 20120404083924 -C >> /usr/lib64/ipa/certmonger/reload_httpd >> Request "20120404083924" modified. >> >> # ipa-getcert list >> Request ID '20120404083924': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM >> subject: CN=vm-079.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM >> expires: 2014-04-05 08:39:24 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> command: /usr/lib64/ipa/certmonger/reload_httpd >> track: yes >> auto-renew: yes >> >> 3) The new dirsrv service restart command does not work either with >> systemd: >> # service dirsrv restart IDM-LAB-BOS-REDHAT-COM >> >> I think the approach here would be to take advantage of our system >> service management abstraction that ipactl uses. It will then work well >> with SysV, systemd or any other future configurations or ports to other >> Linux distributions. Example of the script which restarts the required >> instance: >> >> # cat /tmp/restart_dirsrv >> #!/usr/bin/python >> >> import sys >> from ipapython import services as ipaservices >> >> try: >> instance = sys.argv[1] >> except IndexError: >> instance = "" >> >> dirsrv = ipaservices.knownservices.dirsrv >> dirsrv.restart(instance) >> >> # /tmp/restart_dirsrv IDM-LAB-BOS-REDHAT-COM >> >> Martin >> > I prepared a rebased and fixed patch which works on both SystemV and > systemd systems, please check attached file. > > The patch does not include updating existing certs, it would need more > time to implement a safe update that it is not available this late in > the game. We may want to create a ticket to add a documentation about > how to update existing certs + RFE for add a support of updating > existing certs later. > > Martin
This should come out of the bigger cert renewal strategy effort. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel