mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
cainstance: use correct profile for lightweight CA certificates
Use Dogtag's `caCACert` CA certificate profile rather than the `ipaCACertRenewal` virtual profile for lightweight CA certificates. The `ipaCACertRenewal` virtual profile adds special handling of externally signed CA certificates and LDAP replication of issued certificates on top of `caCACert`, neither of which is relevant for lightweight CA certificates. Remove all of the special casing of lightweight CA certificates from dogtag-ipa-ca-renew-agent-submit. Make sure existing lightweight CA certmonger tracking requests are updated on server upgrade. https://pagure.io/freeipa/issue/5799 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit is contained in:
parent
5abd9bb996
commit
09a49ad458
@ -98,25 +98,7 @@ def get_nickname():
|
||||
DN('CN=IPA RA', subject_base): 'ipaCert',
|
||||
}
|
||||
|
||||
try:
|
||||
return nickname_by_subject_dn[DN(subject)]
|
||||
except KeyError:
|
||||
cas = api.Command.ca_find(ipacasubjectdn=DN(subject))['result']
|
||||
if len(cas) == 0:
|
||||
return None
|
||||
return 'caSigningCert cert-pki-ca {}'.format(cas[0]['ipacaid'][0])
|
||||
|
||||
|
||||
def is_lightweight_ca():
|
||||
nickname = get_nickname() or ''
|
||||
return nickname != IPA_CA_NICKNAME and nickname.startswith(IPA_CA_NICKNAME)
|
||||
|
||||
def is_renewable():
|
||||
cert = os.environ.get('CERTMONGER_CERTIFICATE')
|
||||
if not cert:
|
||||
return False
|
||||
else:
|
||||
return x509.is_self_signed(cert) or is_lightweight_ca()
|
||||
return nickname_by_subject_dn.get(DN(subject))
|
||||
|
||||
|
||||
def is_replicated():
|
||||
@ -276,11 +258,6 @@ def store_cert():
|
||||
if not cert:
|
||||
return (REJECTED, "New certificate requests not supported")
|
||||
|
||||
if is_lightweight_ca():
|
||||
# Lightweight CAs are updated in Dogtag's NSSDB
|
||||
# by Dogtag itself, so do not store it
|
||||
return (ISSUED, cert)
|
||||
|
||||
dercert = x509.normalize_certificate(cert)
|
||||
|
||||
dn = DN(('cn', nickname), ('cn', 'ca_renewal'),
|
||||
@ -405,12 +382,6 @@ def retrieve_cert_continuous():
|
||||
if old_cert:
|
||||
old_cert = x509.normalize_certificate(old_cert)
|
||||
|
||||
if is_lightweight_ca():
|
||||
# Lightweight CAs are updated in Dogtag's NSSDB
|
||||
# by Dogtag itself, so do not try to retrieve it.
|
||||
# Everything is fine as is.
|
||||
return (ISSUED, os.environ.get('CERTMONGER_CERTIFICATE'))
|
||||
|
||||
result = call_handler(retrieve_or_reuse_cert)
|
||||
if result[0] != ISSUED:
|
||||
return result
|
||||
@ -466,12 +437,13 @@ def renew_ca_cert():
|
||||
cert = os.environ.get('CERTMONGER_CERTIFICATE')
|
||||
if not cert:
|
||||
return (REJECTED, "New certificate requests not supported")
|
||||
is_self_signed = x509.is_self_signed(cert)
|
||||
|
||||
operation = os.environ.get('CERTMONGER_OPERATION')
|
||||
if operation == 'SUBMIT':
|
||||
state = 'retrieve'
|
||||
|
||||
if is_renewable() and is_renewal_master():
|
||||
if is_self_signed and is_renewal_master():
|
||||
state = 'request'
|
||||
elif operation == 'POLL':
|
||||
cookie = os.environ.get('CERTMONGER_CA_COOKIE')
|
||||
@ -489,7 +461,7 @@ def renew_ca_cert():
|
||||
|
||||
if state == 'retrieve':
|
||||
result = call_handler(retrieve_cert)
|
||||
if result[0] == REJECTED and not is_renewable():
|
||||
if result[0] == REJECTED and not is_self_signed:
|
||||
syslog.syslog(syslog.LOG_ALERT,
|
||||
"Certificate with subject '%s' is about to expire, "
|
||||
"use ipa-cacert-manage to renew it"
|
||||
|
@ -436,7 +436,7 @@ class CAInstance(DogtagInstance):
|
||||
self.step("adding 'ipa' CA entry", ensure_ipa_authority_entry)
|
||||
|
||||
self.step("configuring certmonger renewal for lightweight CAs",
|
||||
self.__add_lightweight_ca_tracking_requests)
|
||||
self.add_lightweight_ca_tracking_requests)
|
||||
|
||||
if ra_only:
|
||||
runtime = None
|
||||
@ -1246,7 +1246,7 @@ class CAInstance(DogtagInstance):
|
||||
os.chmod(keyfile, 0o600)
|
||||
os.chown(keyfile, pent.pw_uid, pent.pw_gid)
|
||||
|
||||
def __add_lightweight_ca_tracking_requests(self):
|
||||
def add_lightweight_ca_tracking_requests(self):
|
||||
try:
|
||||
lwcas = api.Backend.ldap2.get_entries(
|
||||
base_dn=api.env.basedn,
|
||||
@ -1810,11 +1810,10 @@ def add_lightweight_ca_tracking_requests(logger, lwcas):
|
||||
pin=certmonger.get_pin('internal'),
|
||||
nickname=nickname,
|
||||
ca=ipalib.constants.RENEWAL_CA_NAME,
|
||||
profile='caCACert',
|
||||
pre_command='stop_pkicad',
|
||||
post_command='renew_ca_cert "%s"' % nickname,
|
||||
)
|
||||
request_id = certmonger.get_request_id(criteria)
|
||||
certmonger.modify(request_id, profile='ipaCACertRenewal')
|
||||
logger.debug(
|
||||
'Lightweight CA renewal: '
|
||||
'added tracking request for "%s"', nickname)
|
||||
|
@ -974,6 +974,21 @@ def certificate_renewal_update(ca, ds, http):
|
||||
root_logger.info('CA is not configured')
|
||||
return False
|
||||
|
||||
db = certs.CertDB(api.env.realm, paths.PKI_TOMCAT_ALIAS_DIR)
|
||||
for nickname, _trust_flags in db.list_certs():
|
||||
if nickname.startswith('caSigningCert cert-pki-ca '):
|
||||
requests.append(
|
||||
{
|
||||
'cert-database': paths.PKI_TOMCAT_ALIAS_DIR,
|
||||
'cert-nickname': nickname,
|
||||
'ca': 'dogtag-ipa-ca-renew-agent',
|
||||
'cert-presave-command': template % 'stop_pkicad',
|
||||
'cert-postsave-command':
|
||||
(template % ('renew_ca_cert "%s"' % nickname)),
|
||||
'template-profile': 'caCACert',
|
||||
}
|
||||
)
|
||||
|
||||
# State not set, lets see if we are already configured
|
||||
for request in requests:
|
||||
request_id = certmonger.get_request_id(request)
|
||||
@ -998,6 +1013,7 @@ def certificate_renewal_update(ca, ds, http):
|
||||
ca.configure_renewal()
|
||||
ca.configure_agent_renewal()
|
||||
ca.track_servercert()
|
||||
ca.add_lightweight_ca_tracking_requests()
|
||||
ds.start_tracking_certificates(serverid)
|
||||
http.start_tracking_certificates()
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user