Rob Crittenden wrote:
Martin Kosek wrote:
On Mon, 2012-04-02 at 15:36 -0400, Rob Crittenden wrote:
Rob Crittenden wrote:
Martin Kosek wrote:
On Tue, 2012-03-27 at 17:40 -0400, Rob Crittenden wrote:
Certmonger will currently automatically renew server certificates but
doesn't restart the services so you can still end up with expired
certificates if you services never restart.

This patch registers are restart command with certmonger so the IPA
services will automatically be restarted to get the updated cert.

Easy to test. Install IPA then resubmit the current server certs and
watch the services restart:

# ipa-getcert list

Find the ID for either your dirsrv or httpd instance

# ipa-getcert resubmit -i<ID>

Watch /var/log/httpd/error_log or
/var/log/dirsrv/slapd-INSTANCE/errors
to see the service restart.

rob

What about current instances - can we/do we want to update certmonger
tracking so that their instances are restarted as well?

Anyway, I found few issues SELinux issues with the patch:

1) # rpm -Uvh freeipa-*
Preparing... ########################################### [100%]
1:freeipa-python ########################################### [ 20%]
2:freeipa-client ########################################### [ 40%]
3:freeipa-admintools ########################################### [
60%]
4:freeipa-server ########################################### [ 80%]
/usr/bin/chcon: failed to change context of
`/usr/lib64/ipa/certmonger' to
`unconfined_u:object_r:certmonger_unconfined_exec_t:s0': Invalid
argument
/usr/bin/chcon: failed to change context of
`/usr/lib64/ipa/certmonger/restart_dirsrv' to
`unconfined_u:object_r:certmonger_unconfined_exec_t:s0': Invalid
argument
/usr/bin/chcon: failed to change context of
`/usr/lib64/ipa/certmonger/restart_httpd' to
`unconfined_u:object_r:certmonger_unconfined_exec_t:s0': Invalid
argument
warning: %post(freeipa-server-2.1.90GIT5b895af-0.fc16.x86_64)
scriptlet failed, exit status 1
5:freeipa-server-selinux ###########################################
[100%]

certmonger_unconfined_exec_t type was unknown with my selinux policy:

selinux-policy-3.10.0-80.fc16.noarch
selinux-policy-targeted-3.10.0-80.fc16.noarch

If we need a higher SELinux version, we should bump the required
package
version spec file.

Yeah, waiting on it to be backported.


2) Change of SELinux context with /usr/bin/chcon is temporary until
restorecon or system relabel occurs. I think we should make it
persistent and enforce this type in our SELinux policy and rather call
restorecon instead of chcon

That's a good idea, why didn't I think of that :-(

Ah, now I remember, it will be handled by selinux-policy. I would have
used restorecon here but since the policy isn't there yet this seemed
like a good idea.

I'm trying to find out the status of this new policy, it may only make
it into F-17.

rob

Ok. But if this policy does not go in F-16 and if we want this fix in
F16 release too, I guess we would have to implement both approaches in
our spec file:

1) When on F16, include SELinux policy for restart scripts + run
restorecon
2) When on F17, do not include the SELinux policy (+ run restorecon)

Martin


Won't work without updated selinux-policy. Without the permission for
certmonger to execute the commands things will still fail (just in
really non-obvious and far in the future ways).

It looks like this is fixed in F-17 selinux-policy-3.10.0-107.

rob

Updated patch which works on F-17.

rob
>From fcea9b3c26d66091158b88200cf231211fff5b12 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Tue, 27 Mar 2012 17:17:17 -0400
Subject: [PATCH] Configure certmonger to execute restart scripts on renewal.

certmonger now has the ability to execute a script when it renews a
certificate. This can be used to automatically restart servers so
the certificate doesn't expire in the running server.

https://fedorahosted.org/freeipa/ticket/2050
---
 freeipa.spec.in                        |   11 +++++++++--
 install/Makefile.am                    |    1 +
 install/configure.ac                   |    1 +
 install/restart_scripts/Makefile.am    |   15 +++++++++++++++
 install/restart_scripts/README         |    2 ++
 install/restart_scripts/restart_dirsrv |    2 ++
 install/restart_scripts/restart_httpd  |    2 ++
 ipapython/certmonger.py                |    9 ++++++++-
 ipaserver/install/certs.py             |   14 ++++++++++++--
 ipaserver/install/dsinstance.py        |    6 +++---
 ipaserver/install/httpinstance.py      |    4 ++--
 11 files changed, 57 insertions(+), 10 deletions(-)
 create mode 100644 install/restart_scripts/Makefile.am
 create mode 100644 install/restart_scripts/README
 create mode 100755 install/restart_scripts/restart_dirsrv
 create mode 100755 install/restart_scripts/restart_httpd

diff --git a/freeipa.spec.in b/freeipa.spec.in
index f463d8ecb4380bc5cf498decc64a8241d565bc86..d52a7973e289ba2c53d21643d8bf6b364817fc4c 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -117,7 +117,7 @@ Requires(pre): systemd-units
 Requires(post): systemd-units
 %endif
 %if 0%{?fedora} >= 17
-Requires: selinux-policy >= 3.10.0-82
+Requires: selinux-policy >= 3.10.0-110
 %else
 %if 0%{?fedora} == 16
 Requires: selinux-policy >= 3.10.0-78
@@ -214,7 +214,7 @@ Requires:  xmlrpc-c
 %endif
 %endif
 Requires: sssd >= 1.8.0
-Requires: certmonger >= 0.26
+Requires: certmonger >= 0.53
 Requires: nss-tools
 Requires: bind-utils
 Requires: oddjob-mkhomedir
@@ -538,6 +538,8 @@ fi
 %endif
 %dir %{python_sitelib}/ipaserver
 %{python_sitelib}/ipaserver/*
+%dir %{_libdir}/ipa/certmonger
+%attr(755,root,root) %{_libdir}/ipa/certmonger/*
 %dir %{_usr}/share/ipa
 %{_usr}/share/ipa/wsgi.py*
 %{_usr}/share/ipa/*.ldif
@@ -674,6 +676,11 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 
 %changelog
+* Tue Apr  3 2012 Rob Crittenden <rcrit...@redhat.com> - 2.2.0-20
+- Set min for selinux-policy to 3.10.0-110 on F-17 to pick up certmonger
+  policy for restarting services.
+- Set min for certmonger to 0.53 so we have the -C option to set restart
+  commands.
 
 * Tue Mar 27 2012 Rob Crittenden <rcrit...@redhat.com> - 2.2.0-19
 - Add python-krbV Requires on client package
diff --git a/install/Makefile.am b/install/Makefile.am
index 1b0cda90a26f6ce8687e6dce35c90fee055fbc7a..4d24d072dbda5817691ac21388edf196ee942c5d 100644
--- a/install/Makefile.am
+++ b/install/Makefile.am
@@ -13,6 +13,7 @@ SUBDIRS =			\
         tools			\
         updates			\
         po			\
+        restart_scripts		\
 	$(NULL)
 
 install-exec-local:
diff --git a/install/configure.ac b/install/configure.ac
index bb1ec5025576371d93af1a838930113f3689fae5..827ddbab411a4aa8abbdd4488e217ce67046bd6b 100644
--- a/install/configure.ac
+++ b/install/configure.ac
@@ -81,6 +81,7 @@ AC_CONFIG_FILES([
     tools/man/Makefile
     updates/Makefile
     po/Makefile
+    restart_scripts/Makefile
 ])
 
 AC_OUTPUT
diff --git a/install/restart_scripts/Makefile.am b/install/restart_scripts/Makefile.am
new file mode 100644
index 0000000000000000000000000000000000000000..abc066b305356da3ed51beafc8c8dee7829b98ff
--- /dev/null
+++ b/install/restart_scripts/Makefile.am
@@ -0,0 +1,15 @@
+NULL =
+
+appdir = $(libdir)/ipa/certmonger
+app_DATA =                              \
+	restart_dirsrv			\
+	restart_httpd			\
+	$(NULL)
+
+EXTRA_DIST =                            \
+        $(app_DATA)                     \
+        $(NULL)
+
+MAINTAINERCLEANFILES =                  \
+        *~                              \
+        Makefile.in
diff --git a/install/restart_scripts/README b/install/restart_scripts/README
new file mode 100644
index 0000000000000000000000000000000000000000..64ad8b43eb24bd7c131e044fc8590f7cd0157678
--- /dev/null
+++ b/install/restart_scripts/README
@@ -0,0 +1,2 @@
+This directory contains scripts to be used by the command (-C) option
+of certmonger to restart services when the certificates are renewed.
diff --git a/install/restart_scripts/restart_dirsrv b/install/restart_scripts/restart_dirsrv
new file mode 100755
index 0000000000000000000000000000000000000000..cef14ae3d8a5a6218e4f1cadd2f7ae042ad9195a
--- /dev/null
+++ b/install/restart_scripts/restart_dirsrv
@@ -0,0 +1,2 @@
+#!/bin/sh
+/sbin/service dirsrv restart
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
new file mode 100755
index 0000000000000000000000000000000000000000..d9b01980464bc3a855ce08699de699711cb47e65
--- /dev/null
+++ b/install/restart_scripts/restart_httpd
@@ -0,0 +1,2 @@
+#!/bin/sh
+/sbin/service httpd reload
diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index fda539b34829e4a05f5614c551929facaf8c8260..22a599ae69526b82b9364b96271d44306e440315 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -189,11 +189,15 @@ def cert_exists(nickname, secdir):
     else:
         return False
 
-def start_tracking(nickname, secdir, password_file=None):
+def start_tracking(nickname, secdir, password_file=None, command=None):
     """
     Tell certmonger to track the given certificate nickname in NSS
     database in secdir protected by optional password file password_file.
 
+    command is an optional parameter which specifies a command for
+    certmonger to run when it renews a certificate. This command must
+    reside in /usr/lib/ipa/certmonger to work with SELinux.
+
     Returns the stdout, stderr and returncode from running ipa-getcert
 
     This assumes that certmonger is already running.
@@ -206,6 +210,9 @@ def start_tracking(nickname, secdir, password_file=None):
     if password_file:
         args.append("-p")
         args.append(os.path.abspath(password_file))
+    if command:
+        args.append("-C")
+        args.append(command)
 
     (stdout, stderr, returncode) = ipautil.run(args)
 
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 13770811ecb5716b02493332006ed09004ffc1c3..d25a471ea92072781bb96095a3f5178b0762eeb4 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -18,6 +18,7 @@
 #
 
 import os, stat, subprocess, re
+import sys
 import errno
 import tempfile
 import shutil
@@ -492,16 +493,25 @@ class CertDB(object):
 
         raise RuntimeError("Unable to find serial number")
 
-    def track_server_cert(self, nickname, principal, password_file=None):
+    def track_server_cert(self, nickname, principal, password_file=None, command=None):
         """
         Tell certmonger to track the given certificate nickname.
+
+        If command is not a full path then it is prefixed with
+        /usr/lib[64]/ipa/certmonger.
         """
+        if command is not None and not os.path.isabs(command):
+            if sys.maxsize > 2**32:
+                libpath = 'lib64'
+            else:
+                libpath = 'lib'
+            command = '/usr/%s/ipa/certmonger/%s' % (libpath, command)
         cmonger = ipaservices.knownservices.certmonger
         cmonger.enable()
         ipaservices.knownservices.messagebus.start()
         cmonger.start()
         try:
-            (stdout, stderr, rc) = certmonger.start_tracking(nickname, self.secdir, password_file)
+            (stdout, stderr, rc) = certmonger.start_tracking(nickname, self.secdir, password_file, command)
         except (ipautil.CalledProcessError, RuntimeError), e:
             root_logger.error("certmonger failed starting to track certificate: %s" % str(e))
             return
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index e549e13ccad711da8fbde359f9263f5828c6d5a0..cac12fa7258a9b0d0e78c4369a2f5741b3e7d416 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -486,21 +486,21 @@ class DsInstance(service.Service):
             # We only handle one server cert
             nickname = server_certs[0][0]
             self.dercert = dsdb.get_cert_from_db(nickname, pem=False)
-            dsdb.track_server_cert(nickname, self.principal, dsdb.passwd_fname)
+            dsdb.track_server_cert(nickname, self.principal, dsdb.passwd_fname, 'restart_dirsrv')
         else:
             nickname = "Server-Cert"
             cadb = certs.CertDB(self.realm_name, host_name=self.fqdn, subject_base=self.subject_base)
             if self.self_signed_ca:
                 dsdb.create_from_cacert(cadb.cacert_fname, passwd=None)
                 self.dercert = dsdb.create_server_cert("Server-Cert", self.fqdn, cadb)
-                dsdb.track_server_cert("Server-Cert", self.principal, dsdb.passwd_fname)
+                dsdb.track_server_cert("Server-Cert", self.principal, dsdb.passwd_fname, 'restart_dirsrv')
                 dsdb.create_pin_file()
             else:
                 # FIXME, need to set this nickname in the RA plugin
                 cadb.export_ca_cert('ipaCert', False)
                 dsdb.create_from_cacert(cadb.cacert_fname, passwd=None)
                 self.dercert = dsdb.create_server_cert("Server-Cert", self.fqdn, cadb)
-                dsdb.track_server_cert("Server-Cert", self.principal, dsdb.passwd_fname)
+                dsdb.track_server_cert("Server-Cert", self.principal, dsdb.passwd_fname, 'restart_dirsrv')
                 dsdb.create_pin_file()
 
         conn = ipaldap.IPAdmin("127.0.0.1")
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index e46d4ed5a19fb93398acf3c39cdefeafbac3ea9c..466a2b0f3e07c174948092eead42b954e4dc5943 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -210,7 +210,7 @@ class HTTPInstance(service.Service):
             # We only handle one server cert
             nickname = server_certs[0][0]
             self.dercert = db.get_cert_from_db(nickname, pem=False)
-            db.track_server_cert(nickname, self.principal, db.passwd_fname)
+            db.track_server_cert(nickname, self.principal, db.passwd_fname, 'restart_httpd')
 
             self.__set_mod_nss_nickname(nickname)
         else:
@@ -219,7 +219,7 @@ class HTTPInstance(service.Service):
 
             db.create_password_conf()
             self.dercert = db.create_server_cert("Server-Cert", self.fqdn, ca_db)
-            db.track_server_cert("Server-Cert", self.principal, db.passwd_fname)
+            db.track_server_cert("Server-Cert", self.principal, db.passwd_fname, 'restart_httpd')
             db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)
 
         # Fix the database permissions
-- 
1.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to