Adam Young wrote:
On 08/16/2010 06:00 PM, Rob Crittenden wrote:
Rob Crittenden wrote:
I did it again :-(
Updated patch that should apply cleanly.
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
ImportError: No module named certmonger. Need whatever provides that as
an rpm dependency. This system has certmonger on it, but I see no python
files in it.
I forgot to re-add certmonger.py when I rebased it last time. I've
re-based the patch again and included certmonger.py, it should work this
time.
rob
From 91c04279bfc113a168b81e95e0bc0226aff45dfb Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Wed, 8 Sep 2010 22:11:31 -0400
Subject: [PATCH] Have certmonger track the initial Apache and 389-ds server certs.
We don't use certmonger to get certificates during installation because
of the chicken-and-egg problem. This means that the IPA web and ldap
certs aren't being tracked for renewal.
This requires some manual changes to the certmonger request files once
tracking has begun because it doesn't store a subject or principal template
when a cert is added via start-tracking.
This also required some changes to the cert command plugin to allow a
host to execute calls against its own service certs.
ticket 67
---
ipalib/plugins/cert.py| 29 +++-
ipaserver/install/Makefile.am |1 +
ipaserver/install/certmonger.py | 152 +
ipaserver/install/certs.py| 51 -
ipaserver/install/dsinstance.py | 27 ---
ipaserver/install/httpinstance.py | 11 ++-
ipaserver/install/service.py |2 +
7 files changed, 254 insertions(+), 19 deletions(-)
create mode 100644 ipaserver/install/certmonger.py
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index 1154e2e..60161cf 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -417,7 +417,16 @@ class cert_show(VirtualCommand):
operation=retrieve certificate
def execute(self, serial_number):
-self.check_access()
+hostname = None
+try:
+self.check_access()
+except errors.ACIError, acierr:
+self.debug(Not granted by ACI to retrieve certificate, looking at principal)
+bind_principal = getattr(context, 'principal')
+if not bind_principal.startswith('host/'):
+raise acierr
+hostname = get_host_from_principal(bind_principal)
+
result=self.Backend.ra.get_certificate(serial_number)
cert = x509.load_certificate(result['certificate'])
result['subject'] = unicode(cert.subject)
@@ -426,6 +435,12 @@ class cert_show(VirtualCommand):
result['valid_not_after'] = unicode(cert.valid_not_after_str)
result['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
result['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
+if hostname:
+# If we have a hostname we want to verify that the subject
+# of the certificate matches it, otherwise raise an error
+if hostname != cert.subject.common_name:
+raise acierr
+
return dict(result=result)
api.register(cert_show)
@@ -457,7 +472,17 @@ class cert_revoke(VirtualCommand):
)
def execute(self, serial_number, **kw):
-self.check_access()
+hostname = None
+try:
+self.check_access()
+except errors.ACIError, acierr:
+self.debug(Not granted by ACI to revoke certificate, looking at principal)
+try:
+# Let cert_show() handle verifying that the subject of the
+# cert we're dealing with matches the hostname in the principal
+result = api.Command['cert_show'](unicode(serial_number))['result']
+except errors.NotImplementedError:
+pass
return dict(
result=self.Backend.ra.revoke_certificate(serial_number, **kw)
)
diff --git a/ipaserver/install/Makefile.am b/ipaserver/install/Makefile.am
index 964837c..8932ead 100644
--- a/ipaserver/install/Makefile.am
+++ b/ipaserver/install/Makefile.am
@@ -15,6 +15,7 @@ app_PYTHON = \
replication.py \
certs.py \
ldapupdate.py \
+certmonger.py \
$(NULL)
EXTRA_DIST = \
diff --git a/ipaserver/install/certmonger.py b/ipaserver/install/certmonger.py
new file mode 100644
index 000..bb56c2a
--- /dev/null
+++ b/ipaserver/install/certmonger.py
@@ -0,0 +1,152 @@
+# Authors: Rob Crittenden rcrit...@redhat.com
+#
+# Copyright (C) 2010 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software
