From 2f27db1257e1ba2b2e21d5a9dd2ca201237406e8 Mon Sep 17 00:00:00 2001 Message-Id: <2f27db1257e1ba2b2e21d5a9dd2ca201237406e8.1425817135.git.hahn@univention.de> From: Philipp Hahn Date: Sun, 8 Mar 2015 13:10:21 +0100 Subject: [PATCH] Bug #30005 SSL: Create missing certificates Organization: Univention GmbH, Bremen, Germany Always create missing SSL certificates. --- .../base/univention-ssl/gencertificate.py | 77 ++++++++-------------- 1 file changed, 29 insertions(+), 48 deletions(-) diff --git a/branches/ucs-4.0/ucs-4.0-1/base/univention-ssl/gencertificate.py b/branches/ucs-4.0/ucs-4.0-1/base/univention-ssl/gencertificate.py index 3863f24..1153400 100644 --- a/branches/ucs-4.0/ucs-4.0-1/base/univention-ssl/gencertificate.py +++ b/branches/ucs-4.0/ucs-4.0-1/base/univention-ssl/gencertificate.py @@ -62,58 +62,39 @@ def initialize(): def handler(dn, new, old): """Handle changes to 'dn'.""" - setuid(0) + if configRegistry['server/role'] != 'domaincontroller_master': + return + + global uidNumber try: - if configRegistry['server/role'] != 'domaincontroller_master': - return + uidNumber = int(new.get('uidNumber', ['0'])[0]) + except (LookupError, TypeError, ValueError): + uidNumber = 0 - global uidNumber - try: - uidNumber = int(new.get('uidNumber', ['0'])[0]) - except (LookupError, TypeError, ValueError): - uidNumber = 0 - - global gidNumber - try: - gidNumber = int(grp.getgrnam('DC Backup Hosts')[2]) - except (LookupError, TypeError, ValueError): - ud.debug(ud.LISTENER, ud.WARN, - 'CERTIFICATE: Failed to get groupID for "%s"' % dn) - gidNumber = 0 - - if new and not old: - # changeType: add - try: - domain = new['associatedDomain'][0] - except LookupError: - domain = configRegistry['domainname'] - create_certificate(new['cn'][0], domainname=domain) - elif old and not new: - # changeType: delete - try: - domain = old['associatedDomain'][0] - except LookupError: - domain = configRegistry['domainname'] - remove_certificate(old['cn'][0], domainname=domain) - else: - # changeType: modify - try: - old_domain = old['associatedDomain'][0] - except LookupError: - old_domain = configRegistry['domainname'] - - try: - new_domain = new['associatedDomain'][0] - except LookupError: - new_domain = configRegistry['domainname'] - - if new_domain != old_domain: - remove_certificate(old['cn'][0], domainname=old_domain) + global gidNumber + try: + gidNumber = int(grp.getgrnam('DC Backup Hosts')[2]) + except (LookupError, TypeError, ValueError): + ud.debug(ud.LISTENER, ud.WARN, + 'CERTIFICATE: Failed to get groupID for "%s"' % dn) + gidNumber = 0 + + old_domain = new_domain = configRegistry['domainname'] + if old and 'associatedDomain' in old: + old_domain = old['associatedDomain'][0] + if new and 'associatedDomain' in new: + old_domain = new['associatedDomain'][0] + + setuid(0) + try: + if not new or new_domain != old_domain: + remove_certificate(old['cn'][0], domainname=old_domain) + if new: + fqdn = "%s.%s" % (new['cn'][0], new_domain) + certpath = os.path.join(SSLDIR, fqdn) + if new_domain != old_domain or not os.path.exists(certpath): create_certificate(new['cn'][0], domainname=new_domain) else: - # Reset permissions - fqdn = "%s.%s" % (new['cn'][0], new_domain) - certpath = os.path.join(SSLDIR, fqdn) os.path.walk(certpath, set_permissions, None) finally: unsetuid() -- 1.9.1