Skip to content

Instantly share code, notes, and snippets.

@dandrzejewski
Last active December 15, 2017 19:56
Show Gist options
  • Save dandrzejewski/edb067534c2fcf1ce9a6130982bc0c6f to your computer and use it in GitHub Desktop.
Save dandrzejewski/edb067534c2fcf1ce9a6130982bc0c6f to your computer and use it in GitHub Desktop.
Regenerate custodia keys in freeipa. Helps solve the 406 decryption failed error when running ipa-replica-install
#!/usr/bin/env python
"""Regenerate Custodia server.keys and config
Christian Heimes <cheimes@redhat.com>
"""
import argparse
import os
from ipalib import api
from ipaplatform.paths import paths
from ipapython.ipautil import backup_file
from ipaserver.install.custodiainstance import CustodiaInstance
from ipaserver.install.installutils import is_ipa_configured, remove_file
from ipaserver.install import sysupgrade
def regen_custodia():
custodia = CustodiaInstance(
host_name=api.env.host,
realm=api.env.realm,
)
# stop service if it is running
is_running = custodia.is_running()
if is_running:
custodia.print_msg("Stopping {}".format(custodia.service_name))
custodia.stop()
# backup and remove old file (if exists)
for filename in (custodia.config_file, custodia.server_keys):
custodia.print_msg(
"Backing up and removing existing '{}'".format(filename)
)
backup_file(filename)
remove_file(filename)
# fake uninstalled state
sysupgrade.set_upgrade_state('custodia', 'installed', False)
# Run install to create server keys and config. This will NOT create
# new keys for services such as Lightweight CA keys (Dogtag). Cannot
# use upgrade_instance() because it doesn't perform all steps on
# FreeIPA 4.4 and 4.5.
# create_instance() set upgrade state to installed
custodia.print_msg(
"Running create_instance to regenerate config and keys."
)
custodia.create_instance()
# start Custodia if it has been running before
if is_running:
custodia.print_msg("Starting {}".format(custodia.service_name))
custodia.start()
custodia.print_msg("Success!")
custodia.print_msg(
"It may take a couple of minutes until public keys are replicated "
"to other LDAP servers."
)
def main():
parser = argparse.ArgumentParser(
"ipa-custodia-regen",
description=(
"Regenerate ipa-custodia config and keys. This tool will "
"destroy existing ipa-custodia keys and replace them with "
"a set of new keys."
)
)
parser.add_argument(
"--debug",
action="store_true",
help="Enable debug mode",
)
parser.add_argument(
"--regenerate",
action="store_true",
help="Perform regeneration",
)
args = parser.parse_args()
if not is_ipa_configured():
parser.error("IPA is not configured on this system.\n")
if os.geteuid() != 0:
parser.error("Script must be executed as root.\n")
# use private in-memory ccache
os.environ['KRB5CCNAME'] = 'MEMORY:ipa-custodia-regen'
# use host keytab to acquire TGT for LDAP connection
os.environ['KRB5_CLIENT_KTNAME'] = paths.KRB5_KEYTAB
# initialize API
if not api.isdone('finalize'):
api.bootstrap(
verbose=True,
debug=args.debug,
in_server=True,
)
api.finalize()
# connect LDAP backend
if not api.Backend.ldap2.isconnected():
api.Backend.ldap2.connect()
if args.regenerate:
# go for it!
regen_custodia()
else:
parser.error("Nothing to do, please read --help message!\n")
if __name__ == '__main__':
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment