Last active
December 15, 2017 19:56
-
-
Save dandrzejewski/edb067534c2fcf1ce9a6130982bc0c6f to your computer and use it in GitHub Desktop.
Regenerate custodia keys in freeipa. Helps solve the 406 decryption failed error when running ipa-replica-install
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| """Regenerate Custodia server.keys and config | |
| Christian Heimes <cheimes@redhat.com> | |
| """ | |
| import argparse | |
| import os | |
| from ipalib import api | |
| from ipaplatform.paths import paths | |
| from ipapython.ipautil import backup_file | |
| from ipaserver.install.custodiainstance import CustodiaInstance | |
| from ipaserver.install.installutils import is_ipa_configured, remove_file | |
| from ipaserver.install import sysupgrade | |
| def regen_custodia(): | |
| custodia = CustodiaInstance( | |
| host_name=api.env.host, | |
| realm=api.env.realm, | |
| ) | |
| # stop service if it is running | |
| is_running = custodia.is_running() | |
| if is_running: | |
| custodia.print_msg("Stopping {}".format(custodia.service_name)) | |
| custodia.stop() | |
| # backup and remove old file (if exists) | |
| for filename in (custodia.config_file, custodia.server_keys): | |
| custodia.print_msg( | |
| "Backing up and removing existing '{}'".format(filename) | |
| ) | |
| backup_file(filename) | |
| remove_file(filename) | |
| # fake uninstalled state | |
| sysupgrade.set_upgrade_state('custodia', 'installed', False) | |
| # Run install to create server keys and config. This will NOT create | |
| # new keys for services such as Lightweight CA keys (Dogtag). Cannot | |
| # use upgrade_instance() because it doesn't perform all steps on | |
| # FreeIPA 4.4 and 4.5. | |
| # create_instance() set upgrade state to installed | |
| custodia.print_msg( | |
| "Running create_instance to regenerate config and keys." | |
| ) | |
| custodia.create_instance() | |
| # start Custodia if it has been running before | |
| if is_running: | |
| custodia.print_msg("Starting {}".format(custodia.service_name)) | |
| custodia.start() | |
| custodia.print_msg("Success!") | |
| custodia.print_msg( | |
| "It may take a couple of minutes until public keys are replicated " | |
| "to other LDAP servers." | |
| ) | |
| def main(): | |
| parser = argparse.ArgumentParser( | |
| "ipa-custodia-regen", | |
| description=( | |
| "Regenerate ipa-custodia config and keys. This tool will " | |
| "destroy existing ipa-custodia keys and replace them with " | |
| "a set of new keys." | |
| ) | |
| ) | |
| parser.add_argument( | |
| "--debug", | |
| action="store_true", | |
| help="Enable debug mode", | |
| ) | |
| parser.add_argument( | |
| "--regenerate", | |
| action="store_true", | |
| help="Perform regeneration", | |
| ) | |
| args = parser.parse_args() | |
| if not is_ipa_configured(): | |
| parser.error("IPA is not configured on this system.\n") | |
| if os.geteuid() != 0: | |
| parser.error("Script must be executed as root.\n") | |
| # use private in-memory ccache | |
| os.environ['KRB5CCNAME'] = 'MEMORY:ipa-custodia-regen' | |
| # use host keytab to acquire TGT for LDAP connection | |
| os.environ['KRB5_CLIENT_KTNAME'] = paths.KRB5_KEYTAB | |
| # initialize API | |
| if not api.isdone('finalize'): | |
| api.bootstrap( | |
| verbose=True, | |
| debug=args.debug, | |
| in_server=True, | |
| ) | |
| api.finalize() | |
| # connect LDAP backend | |
| if not api.Backend.ldap2.isconnected(): | |
| api.Backend.ldap2.connect() | |
| if args.regenerate: | |
| # go for it! | |
| regen_custodia() | |
| else: | |
| parser.error("Nothing to do, please read --help message!\n") | |
| if __name__ == '__main__': | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment