IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Alert user when externally signed CA is about to expire.

Browse Source 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Jan Cholasta 2014-03-12 11:36:30 +01:00 committed by Petr Viktorin
parent ba3c7b4a89
commit 031096324d
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
install/certmonger/dogtag-ipa-ca-renew-agent-submit
View File

@ -279,12 +279,13 @@ def renew_ca_cert():
cert = os.environ.get('CERTMONGER_CERTIFICATE') cert = os.environ.get('CERTMONGER_CERTIFICATE')
if not cert: if not cert:
return (REJECTED, "New certificate requests not supported") return (REJECTED, "New certificate requests not supported")
is_self_signed = x509.is_self_signed(cert)
operation = os.environ.get('CERTMONGER_OPERATION') operation = os.environ.get('CERTMONGER_OPERATION')
if operation == 'SUBMIT': if operation == 'SUBMIT':
state = 'retrieve' state = 'retrieve'
if x509.is_self_signed(cert): if is_self_signed:
ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
if ca.is_renewal_master(): if ca.is_renewal_master():
state = 'request' state = 'request'
@ -304,6 +305,10 @@ def renew_ca_cert():
if state == 'retrieve': if state == 'retrieve':
result = retrieve_cert() result = retrieve_cert()
if result[0] == WAIT_WITH_DELAY and not is_self_signed:
syslog.syslog(syslog.LOG_ALERT,
"IPA CA certificate is about to expire, "
"use ipa-cacert-manage to renew it")
elif state == 'request': elif state == 'request':
os.environ['CERTMONGER_CA_PROFILE'] = 'caCACert' os.environ['CERTMONGER_CA_PROFILE'] = 'caCACert'
result = request_and_store_cert() result = request_and_store_cert()