mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
renew agent: get rid of virtual profiles
Replace all uses of virtual profiles with `dogtag-ipa-ca-renew-agent-reuse` and remove profile from the IPA CA certificate tracking request. This prevents virtual profiles from making their way into CSRs and in turn being rejected by certain CAs. This affected the IPA CA CSR with Microsoft CS in particular. https://pagure.io/freeipa/issue/5799 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit is contained in:
parent
0bf41e804e
commit
21f4cbf8da
@ -297,7 +297,7 @@ def store_cert(**kwargs):
|
||||
syslog.syslog(
|
||||
syslog.LOG_ERR,
|
||||
"Giving up. To retry storing the certificate, resubmit the "
|
||||
"request with profile \"ipaStorage\"")
|
||||
"request with CA \"dogtag-ipa-ca-renew-agent-reuse\"")
|
||||
|
||||
return (ISSUED, cert)
|
||||
|
||||
@ -420,33 +420,6 @@ def retrieve_cert(**kwargs):
|
||||
return result
|
||||
|
||||
|
||||
def export_csr(**kwargs):
|
||||
"""
|
||||
This does not actually renew the cert, it just writes the CSR provided
|
||||
by certmonger to /var/lib/ipa/ca.csr and returns the existing cert.
|
||||
"""
|
||||
operation = os.environ.get('CERTMONGER_OPERATION')
|
||||
if operation != 'SUBMIT':
|
||||
return (OPERATION_NOT_SUPPORTED_BY_HELPER,)
|
||||
|
||||
csr = os.environ.get('CERTMONGER_CSR')
|
||||
if not csr:
|
||||
return (UNCONFIGURED, "Certificate request not provided")
|
||||
|
||||
cert = os.environ.get('CERTMONGER_CERTIFICATE')
|
||||
if not cert:
|
||||
return (REJECTED, "New certificate requests not supported")
|
||||
|
||||
csr_file = paths.IPA_CA_CSR
|
||||
try:
|
||||
with open(csr_file, 'wb') as f:
|
||||
f.write(csr)
|
||||
except Exception as e:
|
||||
return (UNREACHABLE, "Failed to write %s: %s" % (csr_file, e))
|
||||
|
||||
return (ISSUED, cert)
|
||||
|
||||
|
||||
def renew_ca_cert(reuse_existing, **kwargs):
|
||||
"""
|
||||
This is used for automatic CA certificate renewal.
|
||||
@ -497,12 +470,15 @@ def renew_ca_cert(reuse_existing, **kwargs):
|
||||
"use ipa-cacert-manage to renew it"
|
||||
% (os.environ.get("CERTMONGER_REQ_SUBJECT"),))
|
||||
elif state == 'request':
|
||||
profile = os.environ['CERTMONGER_CA_PROFILE']
|
||||
profile = os.environ.get('CERTMONGER_CA_PROFILE')
|
||||
os.environ['CERTMONGER_CA_PROFILE'] = 'caCACert'
|
||||
result = call_handler(request_and_store_cert,
|
||||
reuse_existing=reuse_existing,
|
||||
**kwargs)
|
||||
os.environ['CERTMONGER_CA_PROFILE'] = profile
|
||||
if profile is not None:
|
||||
os.environ['CERTMONGER_CA_PROFILE'] = profile
|
||||
else:
|
||||
del os.environ['CERTMONGER_CA_PROFILE']
|
||||
|
||||
if result[0] == WAIT:
|
||||
return (result[0], '%s:%s' % (state, result[1]))
|
||||
@ -522,14 +498,6 @@ def main():
|
||||
else:
|
||||
kwargs['reuse_existing'] = True
|
||||
|
||||
handlers = {
|
||||
'ipaStorage': store_cert,
|
||||
'ipaRetrievalOrReuse': retrieve_or_reuse_cert,
|
||||
'ipaRetrieval': retrieve_cert,
|
||||
'ipaCSRExport': export_csr,
|
||||
'ipaCACertRenewal': renew_ca_cert,
|
||||
}
|
||||
|
||||
api.bootstrap(in_server=True, context='renew', confdir=paths.ETC_IPA)
|
||||
api.finalize()
|
||||
|
||||
@ -547,15 +515,15 @@ def main():
|
||||
|
||||
api.Backend.ldap2.connect()
|
||||
|
||||
profile = os.environ.get('CERTMONGER_CA_PROFILE')
|
||||
if is_replicated():
|
||||
if get_nickname() == IPA_CA_NICKNAME:
|
||||
handler = renew_ca_cert
|
||||
elif is_replicated():
|
||||
if is_renewal_master():
|
||||
handler = request_and_store_cert
|
||||
else:
|
||||
handler = retrieve_cert_continuous
|
||||
else:
|
||||
handler = request_cert
|
||||
handler = handlers.get(profile, handler)
|
||||
|
||||
res = call_handler(handler, **kwargs)
|
||||
for item in res[1:]:
|
||||
|
@ -153,7 +153,7 @@ class CertUpdate(admintool.AdminTool):
|
||||
|
||||
self.log.debug("resubmitting certmonger request '%s'", request_id)
|
||||
certmonger.resubmit_request(
|
||||
request_id, profile='ipaRetrievalOrReuse')
|
||||
request_id, ca='dogtag-ipa-ca-renew-agent-reuse', profile='')
|
||||
try:
|
||||
state = certmonger.wait_for_request(request_id, timeout)
|
||||
except RuntimeError:
|
||||
@ -167,7 +167,7 @@ class CertUpdate(admintool.AdminTool):
|
||||
"please check the request manually" % request_id)
|
||||
|
||||
self.log.debug("modifying certmonger request '%s'", request_id)
|
||||
certmonger.modify(request_id, profile='ipaCACertRenewal')
|
||||
certmonger.modify(request_id, ca='dogtag-ipa-ca-renew-agent')
|
||||
|
||||
self.update_file(paths.CA_CRT, certs)
|
||||
|
||||
|
@ -501,18 +501,29 @@ def stop_tracking(secdir=None, request_id=None, nickname=None, certfile=None):
|
||||
request.parent.obj_if.remove_request(request.path)
|
||||
|
||||
|
||||
def modify(request_id, profile=None):
|
||||
if profile:
|
||||
def modify(request_id, ca=None, profile=None):
|
||||
if ca or profile:
|
||||
request = _get_request({'nickname': request_id})
|
||||
if request:
|
||||
request.obj_if.modify({'template-profile': profile})
|
||||
update = {}
|
||||
if ca is not None:
|
||||
cm = _certmonger()
|
||||
update['CA'] = cm.obj_if.find_ca_by_nickname(ca)
|
||||
if profile is not None:
|
||||
update['template-profile'] = profile
|
||||
request.obj_if.modify(update)
|
||||
|
||||
|
||||
def resubmit_request(request_id, profile=None):
|
||||
def resubmit_request(request_id, ca=None, profile=None):
|
||||
request = _get_request({'nickname': request_id})
|
||||
if request:
|
||||
if profile:
|
||||
request.obj_if.modify({'template-profile': profile})
|
||||
if ca or profile:
|
||||
update = {}
|
||||
if ca is not None:
|
||||
cm = _certmonger()
|
||||
update['CA'] = cm.obj_if.find_ca_by_nickname(ca)
|
||||
if profile is not None:
|
||||
update['template-profile'] = profile
|
||||
request.obj_if.modify(update)
|
||||
request.obj_if.resubmit()
|
||||
|
||||
|
||||
|
@ -279,10 +279,10 @@ class CAInstance(DogtagInstance):
|
||||
2 = have signed cert, continue installation
|
||||
"""
|
||||
|
||||
tracking_reqs = (('auditSigningCert cert-pki-ca', None),
|
||||
('ocspSigningCert cert-pki-ca', None),
|
||||
('subsystemCert cert-pki-ca', None),
|
||||
('caSigningCert cert-pki-ca', 'ipaCACertRenewal'))
|
||||
tracking_reqs = ('auditSigningCert cert-pki-ca',
|
||||
'ocspSigningCert cert-pki-ca',
|
||||
'subsystemCert cert-pki-ca',
|
||||
'caSigningCert cert-pki-ca')
|
||||
server_cert_name = 'Server-Cert cert-pki-ca'
|
||||
|
||||
def __init__(self, realm=None, host_name=None):
|
||||
|
@ -275,7 +275,7 @@ class DogtagInstance(service.Service):
|
||||
""" Configure certmonger to renew system certs """
|
||||
pin = self.__get_pin()
|
||||
|
||||
for nickname, profile in self.tracking_reqs:
|
||||
for nickname in self.tracking_reqs:
|
||||
try:
|
||||
certmonger.start_tracking(
|
||||
certpath=self.nss_db,
|
||||
@ -284,7 +284,7 @@ class DogtagInstance(service.Service):
|
||||
pin=pin,
|
||||
pre_command='stop_pkicad',
|
||||
post_command='renew_ca_cert "%s"' % nickname,
|
||||
profile=profile)
|
||||
)
|
||||
except RuntimeError as e:
|
||||
self.log.error(
|
||||
"certmonger failed to start tracking certificate: %s", e)
|
||||
@ -319,7 +319,7 @@ class DogtagInstance(service.Service):
|
||||
services.knownservices.messagebus.start()
|
||||
cmonger.start()
|
||||
|
||||
nicknames = [nickname for nickname, _profile in self.tracking_reqs]
|
||||
nicknames = self.tracking_reqs
|
||||
if self.server_cert_name is not None:
|
||||
nicknames.append(self.server_cert_name)
|
||||
|
||||
|
@ -172,14 +172,14 @@ class CACertManage(admintool.AdminTool):
|
||||
except errors.NotFound:
|
||||
raise admintool.ScriptError("CA renewal master not found")
|
||||
|
||||
self.resubmit_request(ca, 'caCACert')
|
||||
self.resubmit_request()
|
||||
|
||||
print("CA certificate successfully renewed")
|
||||
|
||||
def renew_external_step_1(self, ca):
|
||||
print("Exporting CA certificate signing request, please wait")
|
||||
|
||||
self.resubmit_request(ca, 'ipaCSRExport')
|
||||
self.resubmit_request('dogtag-ipa-ca-renew-agent-reuse')
|
||||
|
||||
print(("The next step is to get %s signed by your CA and re-run "
|
||||
"ipa-cacert-manage as:" % paths.IPA_CA_CSR))
|
||||
@ -282,15 +282,15 @@ class CACertManage(admintool.AdminTool):
|
||||
except errors.NotFound:
|
||||
raise admintool.ScriptError("CA renewal master not found")
|
||||
|
||||
self.resubmit_request(ca, 'ipaRetrieval')
|
||||
self.resubmit_request('dogtag-ipa-ca-renew-agent-reuse')
|
||||
|
||||
print("CA certificate successfully renewed")
|
||||
|
||||
def resubmit_request(self, ca, profile):
|
||||
def resubmit_request(self, ca='dogtag-ipa-ca-renew-agent'):
|
||||
timeout = api.env.startup_timeout + 60
|
||||
|
||||
self.log.debug("resubmitting certmonger request '%s'", self.request_id)
|
||||
certmonger.resubmit_request(self.request_id, profile=profile)
|
||||
certmonger.resubmit_request(self.request_id, ca=ca, profile='')
|
||||
try:
|
||||
state = certmonger.wait_for_request(self.request_id, timeout)
|
||||
except RuntimeError:
|
||||
@ -304,7 +304,7 @@ class CACertManage(admintool.AdminTool):
|
||||
"please check the request manually" % self.request_id)
|
||||
|
||||
self.log.debug("modifying certmonger request '%s'", self.request_id)
|
||||
certmonger.modify(self.request_id, profile='ipaCACertRenewal')
|
||||
certmonger.modify(self.request_id, ca='dogtag-ipa-ca-renew-agent')
|
||||
|
||||
def install(self):
|
||||
print("Installing CA certificate, please wait")
|
||||
|
@ -60,9 +60,9 @@ class KRAInstance(DogtagInstance):
|
||||
be the same for both the CA and KRA.
|
||||
"""
|
||||
|
||||
tracking_reqs = (('auditSigningCert cert-pki-kra', None),
|
||||
('transportCert cert-pki-kra', None),
|
||||
('storageCert cert-pki-kra', None))
|
||||
tracking_reqs = ('auditSigningCert cert-pki-kra',
|
||||
'transportCert cert-pki-kra',
|
||||
'storageCert cert-pki-kra')
|
||||
|
||||
def __init__(self, realm):
|
||||
super(KRAInstance, self).__init__(
|
||||
|
@ -937,7 +937,7 @@ def certificate_renewal_update(ca, ds, http):
|
||||
'cert-presave-command': template % 'stop_pkicad',
|
||||
'cert-postsave-command':
|
||||
(template % 'renew_ca_cert "caSigningCert cert-pki-ca"'),
|
||||
'template-profile': 'ipaCACertRenewal',
|
||||
'template-profile': '',
|
||||
},
|
||||
{
|
||||
'cert-database': paths.PKI_TOMCAT_ALIAS_DIR,
|
||||
|
Loading…
Reference in New Issue
Block a user