On 22.7.2013 17:40, Simo Sorce wrote:
On Mon, 2013-07-22 at 17:36 +0200, Jan Cholasta wrote:if nickname == 'subsystemCert cert-pki-ca': - update_people_entry('pkidbuser', cert) + update_people_entry(dogtag_uri, 'pkidbuser', cert)This is probably wrong, there is no pkidbuser in old instances. My subsystemCert has a subject of "CN=CA Subsystem,O=REALM" and this cert is associated to an object named: uid=CA-<sevrver-name>-9443,ou=people,o=ipaca I think you need to search the db to find the right object(s) to update.
Right. Updated patch attached. Honza -- Jan Cholasta
>From 46feab87d4fecc9f2fad283e8e5e1d360115dca2 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <[email protected]> Date: Tue, 23 Jul 2013 10:19:42 +0000 Subject: [PATCH] Fix certificate renewal scripts to work with separate CA DS instance. https://fedorahosted.org/freeipa/ticket/3805 --- install/restart_scripts/renew_ca_cert | 4 +-- install/restart_scripts/renew_ra_cert | 2 +- ipaserver/install/cainstance.py | 60 ++++++++++++++++++++++++----------- 3 files changed, 44 insertions(+), 22 deletions(-) diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index 5768db3..94bf803 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -84,9 +84,7 @@ finally: shutil.rmtree(tmpdir) update_cert_config(nickname, cert) - -if nickname == 'subsystemCert cert-pki-ca': - update_people_entry('pkidbuser', cert) +update_people_entry(cert) if nickname == 'auditSigningCert cert-pki-ca': # Fix trust on the audit cert diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert index e541e4b..596ca2b 100644 --- a/install/restart_scripts/renew_ra_cert +++ b/install/restart_scripts/renew_ra_cert @@ -41,7 +41,7 @@ db = certs.CertDB(api.env.realm) dercert = db.get_cert_from_db('ipaCert', pem=False) # Load it into dogtag -update_people_entry('ipara', dercert) +update_people_entry(dercert) attempts = 0 updated = False diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index ca3ee69..7b79e17 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -40,6 +40,7 @@ import ConfigParser from ipapython import dogtag from ipapython.certdb import get_ca_nickname from ipapython import certmonger +from ipalib import api from ipalib import pkcs10, x509 from ipalib import errors from ipapython.dn import DN @@ -1707,58 +1708,81 @@ def update_cert_config(nickname, cert): base64.b64encode(cert), quotes=False, separator='=') -def update_people_entry(uid, dercert): +def update_people_entry(dercert): """ Update the userCerticate for an entry in the dogtag ou=People. This is needed when a certificate is renewed. - uid: uid of user to update dercert: An X509.3 certificate in DER format Logging is done via syslog Returns True or False """ - dn = DN(('uid',uid),('ou','People'),('o','ipaca')) + base_dn = DN(('ou','People'), ('o','ipaca')) serial_number = x509.get_serial_number(dercert, datatype=x509.DER) subject = x509.get_subject(dercert, datatype=x509.DER) issuer = x509.get_issuer(dercert, datatype=x509.DER) attempts = 0 - dogtag_uri='ldap://localhost:%d' % DEFAULT_DSPORT + configured_constants = dogtag.configured_constants(api) + dogtag_uri = 'ldap://localhost:%d' % configured_constants.DS_PORT updated = False try: dm_password = certmonger.get_pin('internaldb') except IOError, e: - syslog.syslog(syslog.LOG_ERR, 'Unable to determine PIN for CA instance: %s' % e) + syslog.syslog( + syslog.LOG_ERR, 'Unable to determine PIN for CA instance: %s' % e) return False while attempts < 10: conn = None try: conn = ldap2.ldap2(shared_instance=False, ldap_uri=dogtag_uri) - conn.connect(bind_dn=DN(('cn', 'directory manager')), - bind_pw=dm_password) - (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate']) - entry_attrs['usercertificate'].append(dercert) - entry_attrs['description'] = '2;%d;%s;%s' % (serial_number, issuer, - subject) - conn.update_entry(dn, entry_attrs) + conn.connect( + bind_dn=DN(('cn', 'directory manager')), bind_pw=dm_password) + + filter = conn.make_filter( + {'description': ';%s;%s' % (issuer, subject)}, + exact=False, trailing_wildcard=False) + try: + entries = conn.get_entries(base_dn, conn.SCOPE_SUBTREE, filter) + except errors.NotFound: + entries = [] + updated = True + + for entry in entries: + syslog.syslog( + syslog.LOG_NOTICE, 'Updating entry %s' % str(entry.dn)) + + try: + entry['usercertificate'].append(dercert) + entry['description'] = '2;%d;%s;%s' % ( + serial_number, issuer, subject) + + conn.update_entry(entry) + except errors.EmptyModlist: + pass + except Exception, e: + syslog.syslog( + syslog.LOG_ERR, + 'Updating entry %s failed: %s' % (str(entry.dn), e)) + updated = False + break except errors.NetworkError: - syslog.syslog(syslog.LOG_ERR, 'Connection to %s failed, sleeping 30s' % dogtag_uri) + syslog.syslog( + syslog.LOG_ERR, + 'Connection to %s failed, sleeping 30s' % dogtag_uri) time.sleep(30) attempts += 1 - except errors.EmptyModlist: - updated = True - break except Exception, e: - syslog.syslog(syslog.LOG_ERR, 'Updating %s entry failed: %s' % (str(dn), e)) + syslog.syslog(syslog.LOG_ERR, 'Caught unhandled exception: %s' % e) break finally: - if conn.isconnected(): + if conn is not None and conn.isconnected(): conn.disconnect() if not updated: -- 1.8.3.1
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
