renew agent: always export CSR on IPA CA certificate renewal

Make sure a CSR is exported for the IPA CA whenever certmonger detects that the CA certificate is about to expire. This is a pre-requisite for using the `dogtag-ipa-ca-renew-agent-reuse` CA instead of the `ipaCSRExport` virtual profile to export the CSR. https://pagure.io/freeipa/issue/5799 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2025-01-11 00:31:56 -06:00 · 2017-04-24 06:20:07 +00:00 · 2017-04-24 06:20:07 +00:00 · 0bf41e804e
commit 0bf41e804e
parent 25aeeaf46d
1 changed files with 11 additions and 0 deletions
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@ -451,6 +451,10 @@ def renew_ca_cert(reuse_existing, **kwargs):
    """
    This is used for automatic CA certificate renewal.
    """
+    csr = os.environ.get('CERTMONGER_CSR')
+    if not csr:
+        return (UNCONFIGURED, "Certificate request not provided")
+
    cert = os.environ.get('CERTMONGER_CERTIFICATE')
    if not cert:
        return (REJECTED, "New certificate requests not supported")
@ -462,6 +466,13 @@ def renew_ca_cert(reuse_existing, **kwargs):

        if is_self_signed and not reuse_existing and is_renewal_master():
            state = 'request'
+
+        csr_file = paths.IPA_CA_CSR
+        try:
+            with open(csr_file, 'wb') as f:
+                f.write(csr)
+        except Exception as e:
+            return (UNREACHABLE, "Failed to write %s: %s" % (csr_file, e))
    elif operation == 'POLL':
        cookie = os.environ.get('CERTMONGER_CA_COOKIE')
        if not cookie: