Replace subsystem.select with CAInstance.is_crlgen_enabled()

The subsystem.select is not a reliable indicator to determine whether the CA is a renewal master since there is no process in PKI to update the param when the role of the instance changes (from master to clone and vice versa) so the param has been removed in PKI 11.5. Instead, it's better to use CAInstance.is_crlgen_enabled() since CRL generation is only enabled in a renewal master. Signed-off-by: Endi Sukma Dewata <edewata@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2025-02-25 18:55:28 -06:00 · 2023-08-14 10:05:14 -05:00 · 2023-08-14 10:05:14 -05:00 · 1202d0149b
commit 1202d0149b
parent 44349cfa76
1 changed files with 2 additions and 12 deletions
--- a/ipaserver/install/plugins/ca_renewal_master.py
+++ b/ipaserver/install/plugins/ca_renewal_master.py
@ -28,7 +28,6 @@ from ipalib.install import certmonger
 from ipalib.plugable import Registry
 from ipaplatform.paths import paths
 from ipapython.dn import DN
-from ipapython import directivesetter

 logger = logging.getLogger(__name__)

@ -108,18 +107,9 @@ class update_ca_renewal_master(Updater):
        else:
            logger.debug("certmonger request for RA cert not found")

-            config = directivesetter.get_directive(
-                paths.CA_CS_CFG_PATH, 'subsystem.select', '=')
-
-            if config == 'New':
-                pass
-            elif config == 'Clone':
+            if not ca.is_crlgen_enabled():
+                # CA is not a renewal master
                return False, []
-            else:
-                logger.warning(
-                    "CS.cfg has unknown subsystem.select value '%s', "
-                    "assuming local CA is not a renewal master", config)
-                return (False, False, [])

        update = {
                'dn': dn,