dogtag-ipa-ca-renew-agent: always use profile-based renewal

Update the renewal helper to always request a new certificate ("enrollment request") instead of using "renewal request". The latter is brittle in the face of: - missing certificate record in database - missing original request record in database (pointed to by certificate record) - "mismatched" certificate or request records (there have been many cases of this; it is suspected that request/serial range conflicts, or something similar, may be the cause) The Dogtag tracking request must know what profile to use, except where the certificate uses the default profile ("caServerCert" per 'dogtag-ipa-renew-agent' implementation in Certmonger itself). This part of the puzzle was dealt with in previous commits. Part of: https://pagure.io/freeipa/issue/7991 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-05-17 16:38:01 +10:00
parent 858ef59948
commit 1fb6fda01f
1 changed files with 3 additions and 3 deletions
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in
@@ -203,9 +203,9 @@ def request_cert(reuse_existing, **kwargs):
             "--certfile", paths.RA_AGENT_PEM,
             "--keyfile", paths.RA_AGENT_KEY] +
            sys.argv[1:] +
-            ['--submit-option', "requestor_name=IPA"])
-    if os.environ.get('CERTMONGER_CA_PROFILE') == 'caCACert':
-        args += ['--force-new', '--approval-option', 'bypassCAnotafter=true']
+            ['--submit-option', "requestor_name=IPA"] +
+            ['--force-new', '--approval-option', 'bypassCAnotafter=true']
+    )
    result = ipautil.run(args, raiseonerr=False, env=os.environ,
                         capture_output=True)
    if six.PY2: