dogtag-ipa-ca-renew-agent: always use profile-based renewal

Update the renewal helper to always request a new certificate
("enrollment request") instead of using "renewal request".  The
latter is brittle in the face of:

- missing certificate record in database

- missing original request record in database (pointed to by
  certificate record)

- "mismatched" certificate or request records (there have been many
  cases of this; it is suspected that request/serial range conflicts,
  or something similar, may be the cause)

The Dogtag tracking request must know what profile to use, except
where the certificate uses the default profile ("caServerCert" per
'dogtag-ipa-renew-agent' implementation in Certmonger itself).
This part of the puzzle was dealt with in previous commits.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Fraser Tweedale 2019-05-17 16:38:01 +10:00
parent 858ef59948
commit 1fb6fda01f

View File

@ -203,9 +203,9 @@ def request_cert(reuse_existing, **kwargs):
"--certfile", paths.RA_AGENT_PEM, "--certfile", paths.RA_AGENT_PEM,
"--keyfile", paths.RA_AGENT_KEY] + "--keyfile", paths.RA_AGENT_KEY] +
sys.argv[1:] + sys.argv[1:] +
['--submit-option', "requestor_name=IPA"]) ['--submit-option', "requestor_name=IPA"] +
if os.environ.get('CERTMONGER_CA_PROFILE') == 'caCACert': ['--force-new', '--approval-option', 'bypassCAnotafter=true']
args += ['--force-new', '--approval-option', 'bypassCAnotafter=true'] )
result = ipautil.run(args, raiseonerr=False, env=os.environ, result = ipautil.run(args, raiseonerr=False, env=os.environ,
capture_output=True) capture_output=True)
if six.PY2: if six.PY2: