From 2b08168df4a1cb1e91cf9600641ed13b971d85be Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Aug 20 2013 14:18:59 +0000 Subject: Port ipa-server-certinstall to the admintool framework. Change the log file path from /var/log/ipa/default.log to admintool's default path. https://fedorahosted.org/freeipa/ticket/3641 --- diff --git a/install/tools/ipa-server-certinstall b/install/tools/ipa-server-certinstall index 01a7ac0..9bb0ef8 100755 --- a/install/tools/ipa-server-certinstall +++ b/install/tools/ipa-server-certinstall @@ -1,7 +1,7 @@ #! /usr/bin/python -E -# Authors: Karl MacMillan +# Authors: Jan Cholasta # -# Copyright (C) 2007 Red Hat +# Copyright (C) 2013 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or modify @@ -18,143 +18,6 @@ # along with this program. If not, see . # -import sys -import os -import pwd -import tempfile +from ipaserver.install.ipa_server_certinstall import ServerCertInstall -import traceback - -import krbV - -from ipapython.ipautil import user_input - -from ipaserver.install import certs, dsinstance, httpinstance, installutils -from ipalib import api -from ipapython import admintool -from ipapython.ipa_log_manager import * -from ipapython.dn import DN -from ipaserver.plugins.ldap2 import ldap2 - -CACERT = "/etc/ipa/ca.crt" - -def get_realm_name(): - c = krbV.default_context() - return c.default_realm - -def parse_options(): - from optparse import OptionParser - parser = OptionParser() - - parser.add_option("-d", "--dirsrv", dest="dirsrv", action="store_true", - default=False, help="install certificate for the directory server") - parser.add_option("-w", "--http", dest="http", action="store_true", - default=False, help="install certificate for the http server") - parser.add_option("--dirsrv_pin", dest="dirsrv_pin", - help="The password of the Directory Server PKCS#12 file") - parser.add_option("--http_pin", dest="http_pin", - help="The password of the Apache Server PKCS#12 file") - - options, args = parser.parse_args() - - if not options.dirsrv and not options.http: - parser.error("you must specify dirsrv and/or http") - if ((options.dirsrv and not options.dirsrv_pin) or - (options.http and not options.http_pin)): - parser.error("you must provide the password for the PKCS#12 file") - - if len(args) != 1: - parser.error("you must provide a pkcs12 filename") - - return options, args[0] - -def set_ds_cert_name(cert_name, dm_password): - conn = ldap2(shared_instance=False, base_dn='') - conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=dm_password) - mod = {'nssslpersonalityssl': cert_name} - conn.update_entry(DN(('cn', 'RSA'), ('cn', 'encryption'), ('cn', 'config')), mod) - conn.disconnect() - -def import_cert(dirname, pkcs12_fname, pkcs12_passwd, db_password): - [pw_fd, pw_name] = tempfile.mkstemp() - os.write(pw_fd, pkcs12_passwd) - os.close(pw_fd) - - try: - server_cert = installutils.check_pkcs12( - pkcs12_info=(pkcs12_fname, pw_name), - ca_file=CACERT, - hostname=api.env.host) - except admintool.ScriptError, e: - print str(e) - sys.exit(1) - - cdb = certs.CertDB(api.env.realm, nssdir=dirname) - cdb.create_passwd_file(db_password) - cdb.create_certdbs() - - try: - try: - cdb.nssdb.import_pem_cert('CA', 'CT,CT,', CACERT) - cdb.import_pkcs12(pkcs12_fname, pw_name) - except RuntimeError, e: - print str(e) - sys.exit(1) - finally: - os.remove(pw_name) - - return server_cert - -def main(): - if os.geteuid() != 0: - sys.exit("\nYou must be root to run this script.\n") - - installutils.check_server_configuration() - - options, pkcs12_fname = parse_options() - - cfg = dict(in_server=True,) - - standard_logging_setup("/var/log/ipa/default.log") - - api.bootstrap(**cfg) - api.finalize() - - try: - if options.dirsrv: - dm_password = installutils.read_password("Directory Manager", - confirm=False, validate=False, retry=False) - if dm_password is None: - sys.exit("Directory Manager password required") - realm = get_realm_name() - dirname = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm)) - fd = open(dirname + "/pwdfile.txt") - passwd = fd.read() - fd.close() - - server_cert = import_cert(dirname, pkcs12_fname, options.dirsrv_pin, passwd) - set_ds_cert_name(server_cert, dm_password) - - if options.http: - dirname = certs.NSS_DIR - server_cert = import_cert(dirname, pkcs12_fname, options.http_pin, "") - installutils.set_directive(httpinstance.NSS_CONF, 'NSSNickname', server_cert) - - # Fix the database permissions - os.chmod(dirname + "/cert8.db", 0640) - os.chmod(dirname + "/key3.db", 0640) - os.chmod(dirname + "/secmod.db", 0640) - - pent = pwd.getpwnam("apache") - os.chown(dirname + "/cert8.db", 0, pent.pw_gid ) - os.chown(dirname + "/key3.db", 0, pent.pw_gid ) - os.chown(dirname + "/secmod.db", 0, pent.pw_gid ) - - except Exception, e: - traceback.print_exc(file=sys.stderr) - sys.exit("an unexpected error occurred: %s" % str(e)) - - return 0 - -if __name__ == '__main__': - installutils.run_script(main, operation_name='ipa-server-certinstall') +ServerCertInstall.run_cli() diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py new file mode 100644 index 0000000..8eff3ee --- /dev/null +++ b/ipaserver/install/ipa_server_certinstall.py @@ -0,0 +1,154 @@ +#! /usr/bin/python +# Authors: Karl MacMillan +# Jan Cholasta +# +# Copyright (C) 2007-2013 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import os +import os.path +import pwd + +from ipapython import admintool +from ipapython.dn import DN +from ipapython.ipautil import user_input, write_tmp_file +from ipalib import api +from ipaserver.install import certs, dsinstance, httpinstance, installutils +from ipaserver.plugins.ldap2 import ldap2 + +CACERT = "/etc/ipa/ca.crt" + +class ServerCertInstall(admintool.AdminTool): + command_name = 'ipa-server-certinstall' + + usage = "%prog [options]" + + description = "Install new SSL server certificates." + + @classmethod + def add_options(cls, parser): + super(ServerCertInstall, cls).add_options(parser) + + parser.add_option( + "-d", "--dirsrv", + dest="dirsrv", action="store_true", default=False, + help="install certificate for the directory server") + parser.add_option( + "-w", "--http", + dest="http", action="store_true", default=False, + help="install certificate for the http server") + parser.add_option( + "--dirsrv_pin", + dest="dirsrv_pin", + help="The password of the Directory Server PKCS#12 file") + parser.add_option( + "--http_pin", + dest="http_pin", + help="The password of the Apache Server PKCS#12 file") + + def validate_options(self): + super(ServerCertInstall, self).validate_options(needs_root=True) + + installutils.check_server_configuration() + + if not self.options.dirsrv and not self.options.http: + self.option_parser.error("you must specify dirsrv and/or http") + if ((self.options.dirsrv and not self.options.dirsrv_pin) or + (self.options.http and not self.options.http_pin)): + self.option_parser.error("you must provide the password for the " + "PKCS#12 file") + + if len(self.args) != 1: + self.option_parser.error("you must provide a pkcs12 filename") + + def ask_for_options(self): + super(ServerCertInstall, self).ask_for_options() + + if self.options.dirsrv: + self.dm_password = installutils.read_password( + "Directory Manager", confirm=False, validate=False, retry=False) + if self.dm_password is None: + raise admintool.ScriptError( + "Directory Manager password required") + + def run(self): + api.bootstrap(in_server=True) + api.finalize() + + self.pkcs12_fname = self.args[0] + + if self.options.dirsrv: + self.install_dirsrv_cert() + + if self.options.http: + self.install_http_cert() + + def install_dirsrv_cert(self): + serverid = dsinstance.realm_to_serverid(api.env.realm) + dirname = dsinstance.config_dirname(serverid) + + pwdfile = os.path.join(dirname, 'pwdfile.txt') + with open(pwdfile) as fd: + passwd = fd.read() + + server_cert = self.import_cert(dirname, self.options.dirsrv_pin, passwd) + + conn = ldap2(shared_instance=False, base_dn='') + conn.connect(bind_dn=DN(('cn', 'directory manager')), + bind_pw=self.dm_password) + + entry = conn.make_entry(DN(('cn', 'RSA'), ('cn', 'encryption'), + ('cn', 'config')), + nssslpersonalityssl=[server_cert]) + conn.update_entry(entry) + + conn.disconnect() + + def install_http_cert(self): + dirname = certs.NSS_DIR + + server_cert = self.import_cert(dirname, self.options.http_pin, "") + + installutils.set_directive(httpinstance.NSS_CONF, + 'NSSNickname', server_cert) + + # Fix the database permissions + os.chmod(os.path.join(dirname, 'cert8.db'), 0640) + os.chmod(os.path.join(dirname, 'key3.db'), 0640) + os.chmod(os.path.join(dirname, 'secmod.db'), 0640) + + pent = pwd.getpwnam("apache") + os.chown(os.path.join(dirname, 'cert8.db'), 0, pent.pw_gid) + os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid) + os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid) + + def import_cert(self, dirname, pkcs12_passwd, db_password): + pw = write_tmp_file(pkcs12_passwd) + server_cert = installutils.check_pkcs12( + pkcs12_info=(self.pkcs12_fname, pw.name), + ca_file=CACERT, + hostname=api.env.host) + + cdb = certs.CertDB(api.env.realm, nssdir=dirname) + try: + cdb.create_from_pkcs12(self.pkcs12_fname, pw.name, + db_password, CACERT) + except RuntimeError, e: + raise admintool.ScriptError(str(e)) + + return server_cert