dogtag-ipa-ca-renew-agent: always use profile-based renewal

Update the renewal helper to always request a new certificate ("enrollment request") instead of using "renewal request". The latter is brittle in the face of: - missing certificate record in database - missing original request record in database (pointed to by certificate record) - "mismatched" certificate or request records (there have been many cases of this; it is suspected that request/serial range conflicts, or something similar, may be the cause) The Dogtag tracking request must know what profile to use, except where the certificate uses the default profile ("caServerCert" per 'dogtag-ipa-renew-agent' implementation in Certmonger itself). This part of the puzzle was dealt with in previous commits. Part of: https://pagure.io/freeipa/issue/7991 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-12-23 07:33:27 -06:00 · 2019-05-17 16:38:01 +10:00 · 2019-05-17 16:38:01 +10:00 · 1fb6fda01f
commit 1fb6fda01f
parent 858ef59948
1 changed files with 3 additions and 3 deletions
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in
@ -203,9 +203,9 @@ def request_cert(reuse_existing, **kwargs):
             "--certfile", paths.RA_AGENT_PEM,
             "--keyfile", paths.RA_AGENT_KEY] +
            sys.argv[1:] +
-            ['--submit-option', "requestor_name=IPA"])
-    if os.environ.get('CERTMONGER_CA_PROFILE') == 'caCACert':
-        args += ['--force-new', '--approval-option', 'bypassCAnotafter=true']
+            ['--submit-option', "requestor_name=IPA"] +
+            ['--force-new', '--approval-option', 'bypassCAnotafter=true']
+    )
    result = ipautil.run(args, raiseonerr=False, env=os.environ,
                         capture_output=True)
    if six.PY2: