Imported Upstream version 4.0.5

2021-07-25 07:50:50 +02:00
parent 8ff3be4216
commit 3bfaa6e020
2049 changed files with 317193 additions and 1632423 deletions
--- a/install/restart_scripts/renew_ra_cert
+++ b/install/restart_scripts/renew_ra_cert
@@ -21,65 +21,39 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.

 import sys
-import os
 import syslog
-import tempfile
-import shutil
 import traceback

-from ipalib.install.kinit import kinit_keytab
-from ipalib import api, x509
+from ipalib import api
 from ipaserver.install import certs, cainstance
-from ipaplatform.paths import paths
-
-
-def _main():
-    api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
-    api.finalize()
-
-    tmpdir = tempfile.mkdtemp(prefix="tmp-")
-    try:
-        principal = str('host/%s@%s' % (api.env.host, api.env.realm))
-        ccache_filename = os.path.join(tmpdir, 'ccache')
-        kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)
-        os.environ['KRB5CCNAME'] = ccache_filename
-
-        api.Backend.ldap2.connect()
-
-        ca = cainstance.CAInstance(host_name=api.env.host)
-        ra_certpath = paths.RA_AGENT_PEM
-        if ca.is_renewal_master():
-            # Fetch the new certificate
-            try:
-                cert = x509.load_certificate_from_file(ra_certpath)
-            except IOError as e:
-                syslog.syslog(
-                    syslog.LOG_ERR, "Can't open '{certpath}': {err}"
-                    .format(certpath=ra_certpath, err=e)
-                )
-                sys.exit(1)
-            except (TypeError, ValueError):
-                syslog.syslog(
-                    syslog.LOG_ERR, "'{certpath}' is not a valid certificate "
-                    "file".format(certpath=ra_certpath)
-                )
-                sys.exit(1)
-
-            # Load it into dogtag
-            cainstance.update_people_entry(cert)
-    finally:
-        if api.Backend.ldap2.isconnected():
-            api.Backend.ldap2.disconnect()
-        shutil.rmtree(tmpdir)
+from ipaplatform import services

+nickname = 'ipaCert'

 def main():
-    try:
-        _main()
-    finally:
-        # lock acquired in renew_ra_cert_pre
-        certs.renewal_lock.release('renew_ra_cert')
+    api.bootstrap(context='restart')
+    api.finalize()

+    ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
+    if ca.is_renewal_master():
+        # Fetch the new certificate
+        db = certs.CertDB(api.env.realm)
+        dercert = db.get_cert_from_db(nickname, pem=False)
+        if not dercert:
+            syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname)
+            sys.exit(1)
+
+        # Load it into dogtag
+        cainstance.update_people_entry(dercert)
+
+    # Now restart Apache so the new certificate is available
+    syslog.syslog(syslog.LOG_NOTICE, "Restarting httpd")
+    try:
+        services.knownservices.httpd.restart()
+    except Exception, e:
+        syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % e)
+    else:
+        syslog.syslog(syslog.LOG_NOTICE, "Restarted httpd")

 try:
    main()