mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 23:50:03 -06:00
dogtag-ipa-ca-renew-agent: always use profile-based renewal
Update the renewal helper to always request a new certificate ("enrollment request") instead of using "renewal request". The latter is brittle in the face of: - missing certificate record in database - missing original request record in database (pointed to by certificate record) - "mismatched" certificate or request records (there have been many cases of this; it is suspected that request/serial range conflicts, or something similar, may be the cause) The Dogtag tracking request must know what profile to use, except where the certificate uses the default profile ("caServerCert" per 'dogtag-ipa-renew-agent' implementation in Certmonger itself). This part of the puzzle was dealt with in previous commits. Part of: https://pagure.io/freeipa/issue/7991 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
parent
858ef59948
commit
1fb6fda01f
@ -203,9 +203,9 @@ def request_cert(reuse_existing, **kwargs):
|
|||||||
"--certfile", paths.RA_AGENT_PEM,
|
"--certfile", paths.RA_AGENT_PEM,
|
||||||
"--keyfile", paths.RA_AGENT_KEY] +
|
"--keyfile", paths.RA_AGENT_KEY] +
|
||||||
sys.argv[1:] +
|
sys.argv[1:] +
|
||||||
['--submit-option', "requestor_name=IPA"])
|
['--submit-option', "requestor_name=IPA"] +
|
||||||
if os.environ.get('CERTMONGER_CA_PROFILE') == 'caCACert':
|
['--force-new', '--approval-option', 'bypassCAnotafter=true']
|
||||||
args += ['--force-new', '--approval-option', 'bypassCAnotafter=true']
|
)
|
||||||
result = ipautil.run(args, raiseonerr=False, env=os.environ,
|
result = ipautil.run(args, raiseonerr=False, env=os.environ,
|
||||||
capture_output=True)
|
capture_output=True)
|
||||||
if six.PY2:
|
if six.PY2:
|
||||||
|
Loading…
Reference in New Issue
Block a user