renew agent: get rid of virtual profiles

Replace all uses of virtual profiles with `dogtag-ipa-ca-renew-agent-reuse` and remove profile from the IPA CA certificate tracking request. This prevents virtual profiles from making their way into CSRs and in turn being rejected by certain CAs. This affected the IPA CA CSR with Microsoft CS in particular. https://pagure.io/freeipa/issue/5799 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-04-24 06:40:11 +00:00
parent 0bf41e804e
commit 21f4cbf8da
8 changed files with 46 additions and 67 deletions
--- a/ipalib/install/certmonger.py
+++ b/ipalib/install/certmonger.py
@@ -501,18 +501,29 @@ def stop_tracking(secdir=None, request_id=None, nickname=None, certfile=None):
        request.parent.obj_if.remove_request(request.path)


-def modify(request_id, profile=None):
-    if profile:
+def modify(request_id, ca=None, profile=None):
+    if ca or profile:
        request = _get_request({'nickname': request_id})
-        if request:
-            request.obj_if.modify({'template-profile': profile})
+        update = {}
+        if ca is not None:
+            cm = _certmonger()
+            update['CA'] = cm.obj_if.find_ca_by_nickname(ca)
+        if profile is not None:
+            update['template-profile'] = profile
+        request.obj_if.modify(update)


-def resubmit_request(request_id, profile=None):
+def resubmit_request(request_id, ca=None, profile=None):
    request = _get_request({'nickname': request_id})
    if request:
-        if profile:
-            request.obj_if.modify({'template-profile': profile})
+        if ca or profile:
+            update = {}
+            if ca is not None:
+                cm = _certmonger()
+                update['CA'] = cm.obj_if.find_ca_by_nickname(ca)
+            if profile is not None:
+                update['template-profile'] = profile
+            request.obj_if.modify(update)
        request.obj_if.resubmit()