URL: https://github.com/freeipa/freeipa/pull/219
Author: flo-renaud
Title: #219: Refactor installer code requesting certificates
Action: opened
PR body:
"""
With this PR, the certificates requested during server installation are now
consistently obtained through certmonger (applies to HTTP/LDAP and renew agent
cert).
https://fedorahosted.org/freeipa/ticket/6433
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/219/head:pr219
git checkout pr219
From 0c7835de813378b98a870bcc36c460b8c1717f09 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <f...@redhat.com>
Date: Tue, 8 Nov 2016 09:02:57 +0100
Subject: [PATCH 1/2] Use autobind instead of host keytab authentication in
dogtag-ipa-ca-renew-agent
This commit makes sure that dogtag-ipa-ca-renew-agent CA helper can be used
before Kerberos is configured.
---
install/certmonger/dogtag-ipa-ca-renew-agent-submit | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index f2b15cf..14c48e4 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -85,7 +85,7 @@ def ldap_connect():
conn = None
try:
conn = ldap2(api)
- conn.connect(ccache=os.environ['KRB5CCNAME'])
+ conn.connect(autobind=True)
yield conn
finally:
if conn is not None and conn.isconnected():
@@ -484,11 +484,6 @@ def main():
tmpdir = tempfile.mkdtemp(prefix="tmp-")
certs.renewal_lock.acquire()
try:
- principal = str('host/%s@%s' % (api.env.host, api.env.realm))
- ccache_filename = os.path.join(tmpdir, 'ccache')
- os.environ['KRB5CCNAME'] = ccache_filename
- ipautil.kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)
-
profile = os.environ.get('CERTMONGER_CA_PROFILE')
if profile:
handler = handlers.get(profile, request_and_store_cert)
From d927c638ffb1ce640e977fc61ebddec9fa20e163 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <f...@redhat.com>
Date: Tue, 25 Oct 2016 08:49:10 +0200
Subject: [PATCH 2/2] Refactor installer code requesting certificates
- Temporary modify certmonger dogtag-ipa-ca-renew helper to request the IPA RA
agent cert, using the temp cert created during pkispawn. The cert request
is now processed through certmonger, and the helper arguments are restored
once the agent cert is obtained.
- Modify the installer code creating HTTP and LDAP certificates to use
certmonger's IPA helper with temporary parameters (calling dogtag-submit
instead of ipa-submit)
- Clean-up for the integration tests: sometimes ipa renewal.lock is not
released during ipa-server-uninstall. Make sure that the file is removed
to allow future installations.
https://fedorahosted.org/freeipa/ticket/6433
---
.../certmonger/dogtag-ipa-ca-renew-agent-submit | 2 +-
ipapython/certmonger.py | 65 +++++-
ipaserver/install/cainstance.py | 217 ++++++---------------
ipaserver/install/certs.py | 12 --
ipaserver/install/dogtaginstance.py | 2 +-
ipaserver/install/dsinstance.py | 38 +++-
ipaserver/install/httpinstance.py | 37 +++-
ipatests/test_integration/tasks.py | 1 +
8 files changed, 187 insertions(+), 187 deletions(-)
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index 14c48e4..1b5650a 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -171,7 +171,7 @@ def request_cert():
"Forwarding request to dogtag-ipa-renew-agent")
path = paths.DOGTAG_IPA_RENEW_AGENT_SUBMIT
- args = [path] + sys.argv[1:]
+ args = [path] + sys.argv[1:] + ['--submit-option', "requestor_name=IPA"]
if os.environ.get('CERTMONGER_CA_PROFILE') == 'caCACert':
args += ['-N', '-O', 'bypassCAnotafter=true']
result = ipautil.run(args, raiseonerr=False, env=os.environ,
diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index 765f9e8..6f0948a 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -297,9 +297,27 @@ def add_subject(request_id, subject):
add_request_value(request_id, 'template-subject', subject)
+def request_and_wait_for_cert(
+ nssdb, nickname, subject, principal, passwd_fname=None,
+ dns=None, ca='IPA', profile=None,
+ pre_command=None, post_command=None):
+ """
+ Execute certmonger to request a server certificate.
+
+ The method also waits for the certificate to be available.
+ """
+ reqId = request_cert(nssdb, nickname, subject, principal,
+ passwd_fname, dns, ca, profile,
+ pre_command, post_command)
+ state = wait_for_request(reqId, timeout=60)
+ ca_error = get_request_value(reqId, 'ca-error')
+ if state != 'MONITORING' or ca_error:
+ raise RuntimeError("Certificate issuance failed")
+ return reqId
+
def request_cert(
nssdb, nickname, subject, principal, passwd_fname=None,
- dns=None):
+ dns=None, ca='IPA', profile=None, pre_command=None, post_command=None):
"""
Execute certmonger to request a server certificate.
@@ -307,18 +325,33 @@ def request_cert(
A sequence of DNS names to appear in SAN request extension.
"""
cm = _certmonger()
- ca_path = cm.obj_if.find_ca_by_nickname('IPA')
+ ca_path = cm.obj_if.find_ca_by_nickname(ca)
if not ca_path:
- raise RuntimeError('IPA CA not found')
+ raise RuntimeError('{} CA not found'.format(ca))
request_parameters = dict(KEY_STORAGE='NSSDB', CERT_STORAGE='NSSDB',
CERT_LOCATION=nssdb, CERT_NICKNAME=nickname,
KEY_LOCATION=nssdb, KEY_NICKNAME=nickname,
- SUBJECT=subject, PRINCIPAL=[principal],
+ SUBJECT=subject,
CA=ca_path)
+ if principal:
+ request_parameters['PRINCIPAL'] = [principal]
if dns is not None and len(dns) > 0:
request_parameters['DNS'] = dns
if passwd_fname:
request_parameters['KEY_PIN_FILE'] = passwd_fname
+ if profile:
+ request_parameters['ca-profile'] = profile
+
+ certmonger_cmd_template = paths.CERTMONGER_COMMAND_TEMPLATE
+ if pre_command:
+ if not os.path.isabs(pre_command):
+ pre_command = certmonger_cmd_template % (pre_command)
+ request_parameters['cert-presave-command'] = pre_command
+ if post_command:
+ if not os.path.isabs(post_command):
+ post_command = certmonger_cmd_template % (post_command)
+ request_parameters['cert-postsave-command'] = post_command
+
result = cm.obj_if.add_request(request_parameters)
try:
if result[0]:
@@ -454,6 +487,30 @@ def remove_principal_from_cas():
ca.prop_if.Set(DBUS_CM_CA_IF, 'external-helper', ext_helper)
+def modify_ca_helper(ca_name, helper):
+ """
+ Modify certmonger CA helper.
+
+ Applies the new helper and return the previous configuration.
+ """
+ bus = dbus.SystemBus()
+ obj = bus.get_object('org.fedorahosted.certmonger',
+ '/org/fedorahosted/certmonger')
+ iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
+ path = iface.find_ca_by_nickname(ca_name)
+ if not path:
+ raise RuntimeError("{} is not configured".format(ca_name))
+ else:
+ ca_obj = bus.get_object('org.fedorahosted.certmonger', path)
+ ca_iface = dbus.Interface(ca_obj,
+ 'org.freedesktop.DBus.Properties')
+ old_helper = ca_iface.Get('org.fedorahosted.certmonger.ca',
+ 'external-helper')
+ ca_iface.Set('org.fedorahosted.certmonger.ca',
+ 'external-helper', helper)
+ return old_helper
+
+
def get_pin(token):
"""
Dogtag stores its NSS pin in a file formatted as token:PIN.
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 1b7acef..5e9f6b4 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -21,7 +21,6 @@
from __future__ import print_function
-import array
import base64
import binascii
import dbus
@@ -35,17 +34,15 @@
import syslog
import time
import tempfile
-import xml.dom.minidom
import shlex
import pipes
# pylint: disable=import-error
-from six.moves import urllib
from six.moves.configparser import ConfigParser, RawConfigParser
# pylint: enable=import-error
from ipalib import api
-from ipalib import pkcs10, x509
+from ipalib import x509
from ipalib import errors
import ipalib.constants
@@ -76,14 +73,6 @@
DogtagInstance)
from ipaserver.plugins import ldap2
-# Python 3 rename. The package is available in "six.moves.http_client", but
-# pylint cannot handle classes from that alias
-try:
- import httplib
-except ImportError:
- # pylint: disable=import-error
- import http.client as httplib
-
# We need to reset the template because the CA uses the regular boot
# information
INF_TEMPLATE = """
@@ -405,10 +394,13 @@ def configure_instance(self, host_name, dm_password, admin_password,
self.step("fixing RA database permissions", self.fix_ra_perms)
self.step("setting up signing cert profile", self.__setup_sign_profile)
self.step("setting audit signing renewal to 2 years", self.set_audit_renewal)
+ self.step("configure certmonger for renewals",
+ self.configure_certmonger_renewal)
if not self.clone:
self.step("restarting certificate server", self.restart_instance)
self.step("requesting RA certificate from CA", self.__request_ra_certificate)
- self.step("issuing RA agent certificate", self.__issue_ra_cert)
+ self.step("exporting RA agent certificate",
+ lambda: export_kra_agent_pem())
self.step("adding RA agent as a trusted user", self.__create_ca_agent)
elif ra_p12 is not None:
self.step("importing RA certificate from PKCS #12 file",
@@ -418,10 +410,7 @@ def configure_instance(self, host_name, dm_password, admin_password,
configure_lightweight_ca_acls)
self.step("Ensure lightweight CAs container exists",
ensure_lightweight_cas_container)
- self.step("configure certmonger for renewals", self.configure_certmonger_renewal)
self.step("configure certificate renewals", self.configure_renewal)
- if not self.clone:
- self.step("configure RA certificate renewal", self.configure_agent_renewal)
self.step("configure Server-Cert certificate renewal", self.track_servercert)
self.step("Configure HTTP to proxy connections",
self.http_proxy)
@@ -629,105 +618,6 @@ def enable_pkix(self):
'NSS_ENABLE_PKIX_VERIFY', '1',
quotes=False, separator='=')
- def __issue_ra_cert(self):
- # The CA certificate is in the agent DB but isn't trusted
- (admin_fd, admin_name) = tempfile.mkstemp()
- os.write(admin_fd, self.admin_password)
- os.close(admin_fd)
-
- # Look through the cert chain to get all the certs we need to add
- # trust for
- args = [paths.CERTUTIL,
- "-d", self.agent_db,
- "-O",
- "-n", "ipa-ca-agent"]
- result = ipautil.run(args, capture_output=True)
- chain = result.output.split("\n")
-
- root_nickname=[]
- for part in chain:
- m = re.match('\ *"(.*)" \[.*', part)
- if m:
- nick = m.groups(0)[0]
- if nick != "ipa-ca-agent" and nick[:7] != "Builtin":
- root_nickname.append(m.groups()[0])
-
- try:
- for nick in root_nickname:
- self.__run_certutil(
- ['-M', '-t', 'CT,C,C', '-n',
- nick],
- database=self.agent_db, pwd_file=self.admin_password)
- finally:
- os.remove(admin_name)
-
- # Retrieve the certificate request so we can get the values needed
- # to issue a certificate. Use sslget here because this is a
- # temporary database and nsslib doesn't currently support gracefully
- # opening and closing an NSS database. This would leave the installer
- # process stuck using this database during the entire cycle. We need
- # to use the final RA agent database when issuing certs for DS and
- # mod_nss.
- args = [
- paths.SSLGET,
- '-v',
- '-n', 'ipa-ca-agent',
- '-p', self.admin_password,
- '-d', self.agent_db,
- '-r', '/ca/agent/ca/profileReview?requestId=%s' % self.requestId,
- '%s' % ipautil.format_netloc(self.fqdn, 8443),
- ]
- result = ipautil.run(
- args, nolog=(self.admin_password,),
- capture_output=True)
-
- data = result.output.split('\n')
- params = get_defList(data)
- params['requestId'] = find_substring(data, "requestId")
- params['op'] = 'approve'
- params['submit'] = 'submit'
- params['requestNotes'] = ''
- params = urllib.parse.urlencode(params)
-
- # Now issue the RA certificate.
- args = [
- paths.SSLGET,
- '-v',
- '-n', 'ipa-ca-agent',
- '-p', self.admin_password,
- '-d', self.agent_db,
- '-e', params,
- '-r', '/ca/agent/ca/profileProcess',
- '%s' % ipautil.format_netloc(self.fqdn, 8443),
- ]
- result = ipautil.run(
- args, nolog=(self.admin_password,),
- capture_output=True)
-
- data = result.output.split('\n')
- outputList = get_outputList(data)
-
- self.ra_cert = outputList['b64_cert']
-
- # Strip certificate headers and convert it to proper line ending
- self.ra_cert = x509.strip_header(self.ra_cert)
- self.ra_cert = "\n".join(line.strip() for line
- in self.ra_cert.splitlines() if line.strip())
-
- # Add the new RA cert to the database in /etc/httpd/alias
- (agent_fd, agent_name) = tempfile.mkstemp()
- os.write(agent_fd, self.ra_cert)
- os.close(agent_fd)
- try:
- self.__run_certutil(
- ['-A', '-t', 'u,u,u', '-n', 'ipaCert', '-a',
- '-i', agent_name]
- )
- finally:
- os.remove(agent_name)
-
- export_kra_agent_pem()
-
def import_ra_cert(self, rafile, configure_renewal=True):
"""
Cloned RAs will use the same RA agent cert as the master so we
@@ -891,49 +781,68 @@ def __import_ca_chain(self):
certdb.trust_root_cert(nick, trust_flags)
def __request_ra_certificate(self):
- # Create a noise file for generating our private key
- noise = array.array('B', os.urandom(128))
- (noise_fd, noise_name) = tempfile.mkstemp()
- os.write(noise_fd, noise)
- os.close(noise_fd)
+ # create a temp file storing the pwd
+ (agent_fd, agent_pwdfile) = tempfile.mkstemp(dir=paths.VAR_LIB_IPA)
+ os.write(agent_fd, self.admin_password)
+ os.close(agent_fd)
+
+ # create a temp pem file storing the CA chain
+ (chain_fd, chain_file) = tempfile.mkstemp(dir=paths.VAR_LIB_IPA)
+ os.close(chain_fd)
+
+ chain = self.__get_ca_chain()
+ data = base64.b64decode(chain)
+ result = ipautil.run(
+ [paths.OPENSSL,
+ "pkcs7",
+ "-inform",
+ "DER",
+ "-print_certs",
+ "-out", chain_file,
+ ], stdin=data, capture_output=False)
+
+ agent_args = [paths.DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT,
+ "--dbdir", self.agent_db,
+ "--nickname", "ipa-ca-agent",
+ "--cafile", chain_file,
+ "--ee-url", 'http://%s:8080/ca/ee/ca/' % self.fqdn,
+ "--agent-url",
+ 'https://%s:8443/ca/agent/ca/' % self.fqdn,
+ "--sslpinfile", agent_pwdfile]
+ helper = " ".join(agent_args)
+
+ # configure certmonger renew agent to use temporary agent cert
+ old_helper = certmonger.modify_ca_helper(
+ ipalib.constants.RENEWAL_CA_NAME, helper)
- # Generate our CSR. The result gets put into stdout
try:
+ # The certificate must be requested using caServerCert profile
+ # because this profile does not require agent authentication
+ reqId = certmonger.request_and_wait_for_cert(
+ nssdb=self.ra_agent_db,
+ nickname='ipaCert',
+ principal='host/%s' % self.fqdn,
+ passwd_fname=self.ra_agent_pwd,
+ subject=str(DN(('CN', 'IPA RA'), self.subject_base)),
+ ca=ipalib.constants.RENEWAL_CA_NAME,
+ profile='caServerCert',
+ pre_command='renew_ra_cert_pre',
+ post_command='renew_ra_cert')
+
+ self.requestId = str(reqId)
result = self.__run_certutil(
- ["-R", "-k", "rsa", "-g", "2048", "-s",
- str(DN(('CN', 'IPA RA'), self.subject_base)),
- "-z", noise_name, "-a"],
- capture_output=True)
+ ['-L', '-n', 'ipaCert', '-a'], capture_output=True)
+ self.ra_cert = x509.strip_header(result.output)
+ self.ra_cert = "\n".join(
+ line.strip() for line
+ in self.ra_cert.splitlines() if line.strip())
finally:
- os.remove(noise_name)
-
- csr = pkcs10.strip_header(result.output)
-
- # Send the request to the CA
- conn = httplib.HTTPConnection(self.fqdn, 8080)
- params = urllib.parse.urlencode({'profileId': 'caServerCert',
- 'cert_request_type': 'pkcs10',
- 'requestor_name': 'IPA Installer',
- 'cert_request': csr,
- 'xmlOutput': 'true'})
- headers = {"Content-type": "application/x-www-form-urlencoded",
- "Accept": "text/plain"}
-
- conn.request("POST", "/ca/ee/ca/profileSubmit", params, headers)
- res = conn.getresponse()
- if res.status == 200:
- data = res.read()
- conn.close()
- doc = xml.dom.minidom.parseString(data)
- item_node = doc.getElementsByTagName("RequestId")
- self.requestId = item_node[0].childNodes[0].data
- doc.unlink()
- self.requestId = self.requestId.strip()
- if self.requestId is None:
- raise RuntimeError("Unable to determine RA certificate requestId")
- else:
- conn.close()
- raise RuntimeError("Unable to submit RA cert request")
+ # we can restore the helper parameters
+ certmonger.modify_ca_helper(
+ ipalib.constants.RENEWAL_CA_NAME, old_helper)
+ # remove the pwdfile
+ os.remove(agent_pwdfile)
+ os.remove(chain_file)
def fix_ra_perms(self):
os.chmod(self.ra_agent_db + "/cert8.db", 0o640)
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 31fd36c..e03d60b 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -344,18 +344,6 @@ def create_server_cert(self, nickname, hostname, other_certdb=None, subject=None
return dercert
- def create_signing_cert(self, nickname, hostname, other_certdb=None, subject=None):
- cdb = other_certdb
- if not cdb:
- cdb = self
- if subject is None:
- subject=DN(('CN', hostname), self.subject_base)
- self.request_cert(subject)
- cdb.issue_signing_cert(self.certreq_fname, self.certder_fname)
- self.import_cert(self.certder_fname, nickname)
- os.unlink(self.certreq_fname)
- os.unlink(self.certder_fname)
-
def request_cert(
self, subject, certtype="rsa", keysize="2048",
san_dnsnames=None):
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 2890b4b..cbe3e43 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -127,7 +127,7 @@ def __init__(self, realm, subsystem, service_desc, host_name=None,
self.admin_dn = DN(('uid', self.admin_user),
('ou', 'people'), ('o', 'ipaca'))
self.admin_groups = None
- self.agent_db = tempfile.mkdtemp(prefix="tmp-")
+ self.agent_db = tempfile.mkdtemp(prefix="tmp-", dir=paths.VAR_LIB_IPA)
self.subsystem = subsystem
self.security_domain_name = "IPA"
# replication parameters
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index d27eba1..a58f8eb 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -33,6 +33,7 @@
from ipapython.ipa_log_manager import root_logger
from ipapython import ipautil, sysrestore, ipaldap
+from ipapython import dogtag
from ipaserver.install import service
from ipaserver.install import installutils
from ipaserver.install import certs
@@ -47,6 +48,7 @@
from ipaplatform.constants import constants as platformconstants
from ipaplatform.tasks import tasks
from ipalib.constants import CACERT
+from ipapython import certmonger
from ipapython.dn import DN
from ipapython.admintool import ScriptError
from ipaplatform import services
@@ -776,23 +778,45 @@ def __enable_ssl(self):
# We only handle one server cert
self.nickname = server_certs[0][0]
self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False)
+
+ if self.ca_is_configured:
+ dsdb.track_server_cert(
+ self.nickname, self.principal, dsdb.passwd_fname,
+ 'restart_dirsrv %s' % self.serverid)
else:
cadb = certs.CertDB(self.realm, host_name=self.fqdn, subject_base=self.subject_base)
# FIXME, need to set this nickname in the RA plugin
cadb.export_ca_cert('ipaCert', False)
dsdb.create_from_cacert(cadb.cacert_fname, passwd=None)
- self.dercert = dsdb.create_server_cert(
- self.nickname, self.fqdn, cadb)
+ ca_args = ['/usr/libexec/certmonger/dogtag-submit',
+ '--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
+ '--dbdir', paths.HTTPD_ALIAS_DIR,
+ '--nickname', 'ipaCert',
+ '--sslpinfile', paths.ALIAS_PWDFILE_TXT,
+ '--agent-submit']
+ helper = " ".join(ca_args)
+ prev_helper = certmonger.modify_ca_helper('IPA', helper)
+ try:
+ cmd = 'restart_dirsrv %s' % self.serverid
+ certmonger.request_and_wait_for_cert(
+ nssdb=dirname,
+ nickname=self.nickname,
+ principal=self.principal,
+ passwd_fname=dsdb.passwd_fname,
+ subject=str(DN(('CN', self.fqdn), self.subject_base)),
+ ca='IPA',
+ profile=dogtag.DEFAULT_PROFILE,
+ dns=[self.fqdn],
+ post_command=cmd)
+ finally:
+ certmonger.modify_ca_helper('IPA', prev_helper)
+
+ self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False)
dsdb.create_pin_file()
self.cacert_name = dsdb.cacert_name
- if self.ca_is_configured:
- dsdb.track_server_cert(
- self.nickname, self.principal, dsdb.passwd_fname,
- 'restart_dirsrv %s' % self.serverid)
-
ldap_uri = ipaldap.get_ldap_uri(self.fqdn)
conn = ipaldap.LDAPClient(ldap_uri)
conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index bd19621..bc36ccd 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -34,6 +34,8 @@
from ipaserver.install import certs
from ipaserver.install import installutils
from ipapython import sysrestore
+from ipapython import certmonger
+from ipapython import dogtag
from ipapython import ipautil
from ipapython.dn import DN
from ipapython.ipa_log_manager import root_logger
@@ -305,10 +307,6 @@ def configure_certmonger_renewal_guard(self):
certmonger.stop()
def __setup_ssl(self):
- fqdn = self.fqdn
-
- ca_db = certs.CertDB(self.realm, host_name=fqdn, subject_base=self.subject_base)
-
db = certs.CertDB(self.realm, subject_base=self.subject_base)
if self.pkcs12_info:
if self.ca_is_configured:
@@ -337,10 +335,33 @@ def __setup_ssl(self):
else:
if not self.promote:
db.create_password_conf()
- self.dercert = db.create_server_cert(self.cert_nickname, self.fqdn,
- ca_db)
- db.track_server_cert(self.cert_nickname, self.principal,
- db.passwd_fname, 'restart_httpd')
+ ca_args = [
+ '/usr/libexec/certmonger/dogtag-submit',
+ '--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
+ '--dbdir', paths.HTTPD_ALIAS_DIR,
+ '--nickname', 'ipaCert',
+ '--sslpinfile', paths.ALIAS_PWDFILE_TXT,
+ '--agent-submit'
+ ]
+ helper = " ".join(ca_args)
+ prev_helper = certmonger.modify_ca_helper('IPA', helper)
+
+ try:
+ certmonger.request_and_wait_for_cert(
+ nssdb=db.secdir,
+ nickname=self.cert_nickname,
+ principal=self.principal,
+ passwd_fname=db.passwd_fname,
+ subject=str(DN(('CN', self.fqdn), self.subject_base)),
+ ca='IPA',
+ profile=dogtag.DEFAULT_PROFILE,
+ dns=[self.fqdn],
+ post_command='restart_httpd')
+ self.dercert = db.get_cert_from_db(
+ self.cert_nickname, pem=False)
+ finally:
+ certmonger.modify_ca_helper('IPA', prev_helper)
+
self.add_cert_to_service()
server_certs = db.find_server_certs()
diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index df5e408..4412c14 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -688,6 +688,7 @@ def uninstall_master(host, ignore_topology_disconnect=True,
paths.SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR,
paths.VAR_LIB_PKI_TOMCAT_DIR,
paths.PKI_TOMCAT,
+ paths.IPA_RENEWAL_LOCK,
paths.REPLICA_INFO_GPG_TEMPLATE % host.hostname],
raiseonerr=False)
host.run_command("find /var/lib/sss/keytabs -name '*.keytab' | "
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
