cainstance: use correct profile for lightweight CA certificates

Use Dogtag's `caCACert` CA certificate profile rather than the `ipaCACertRenewal` virtual profile for lightweight CA certificates. The `ipaCACertRenewal` virtual profile adds special handling of externally signed CA certificates and LDAP replication of issued certificates on top of `caCACert`, neither of which is relevant for lightweight CA certificates. Remove all of the special casing of lightweight CA certificates from dogtag-ipa-ca-renew-agent-submit. Make sure existing lightweight CA certmonger tracking requests are updated on server upgrade. https://pagure.io/freeipa/issue/5799 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-02-28 10:58:28 +00:00
parent 5abd9bb996
commit 09a49ad458
3 changed files with 23 additions and 36 deletions
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -436,7 +436,7 @@ class CAInstance(DogtagInstance):
                    self.step("adding 'ipa' CA entry", ensure_ipa_authority_entry)

                self.step("configuring certmonger renewal for lightweight CAs",
-                          self.__add_lightweight_ca_tracking_requests)
+                          self.add_lightweight_ca_tracking_requests)

        if ra_only:
            runtime = None
@@ -1246,7 +1246,7 @@ class CAInstance(DogtagInstance):
        os.chmod(keyfile, 0o600)
        os.chown(keyfile, pent.pw_uid, pent.pw_gid)

-    def __add_lightweight_ca_tracking_requests(self):
+    def add_lightweight_ca_tracking_requests(self):
        try:
            lwcas = api.Backend.ldap2.get_entries(
                base_dn=api.env.basedn,
@@ -1810,11 +1810,10 @@ def add_lightweight_ca_tracking_requests(logger, lwcas):
                    pin=certmonger.get_pin('internal'),
                    nickname=nickname,
                    ca=ipalib.constants.RENEWAL_CA_NAME,
+                    profile='caCACert',
                    pre_command='stop_pkicad',
                    post_command='renew_ca_cert "%s"' % nickname,
                )
-                request_id = certmonger.get_request_id(criteria)
-                certmonger.modify(request_id, profile='ipaCACertRenewal')
                logger.debug(
                    'Lightweight CA renewal: '
                    'added tracking request for "%s"', nickname)
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -974,6 +974,21 @@ def certificate_renewal_update(ca, ds, http):
        root_logger.info('CA is not configured')
        return False

+    db = certs.CertDB(api.env.realm, paths.PKI_TOMCAT_ALIAS_DIR)
+    for nickname, _trust_flags in db.list_certs():
+        if nickname.startswith('caSigningCert cert-pki-ca '):
+            requests.append(
+                {
+                    'cert-database': paths.PKI_TOMCAT_ALIAS_DIR,
+                    'cert-nickname': nickname,
+                    'ca': 'dogtag-ipa-ca-renew-agent',
+                    'cert-presave-command': template % 'stop_pkicad',
+                    'cert-postsave-command':
+                        (template % ('renew_ca_cert "%s"' % nickname)),
+                    'template-profile': 'caCACert',
+                }
+            )
+
    # State not set, lets see if we are already configured
    for request in requests:
        request_id = certmonger.get_request_id(request)
@@ -998,6 +1013,7 @@ def certificate_renewal_update(ca, ds, http):
    ca.configure_renewal()
    ca.configure_agent_renewal()
    ca.track_servercert()
+    ca.add_lightweight_ca_tracking_requests()
    ds.start_tracking_certificates(serverid)
    http.start_tracking_certificates()