Wait for client certificates

ipa-client-install --request-cert now waits until certmonger has provided a host certificate. In case of an error, ipa-client-install no longer pretents to success but fails with an error code. The --request-cert option also ensures that certmonger is enabled and running. See: Fixes: https://pagure.io/freeipa/issue/7623 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2025-02-25 18:55:28 -06:00 · 2018-07-09 13:53:44 +02:00 · 2018-07-09 13:53:44 +02:00 · 2b669c52a5
commit 2b669c52a5
parent 1fa2a7cd41
2 changed files with 27 additions and 8 deletions
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@ -824,6 +824,7 @@ def configure_certmonger(
    cmonger = services.knownservices.certmonger
    try:
        cmonger.enable()
+        cmonger.start()
    except Exception as e:
        logger.error(
            "Failed to configure automatic startup of the %s daemon: %s",
@ -835,19 +836,24 @@ def configure_certmonger(
    subject = str(DN(('CN', hostname), subject_base))
    passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt')
    try:
-        certmonger.request_cert(
+        certmonger.request_and_wait_for_cert(
            certpath=paths.IPA_NSSDB_DIR,
            storage='NSSDB',
            nickname='Local IPA host',
            subject=subject,
            dns=[hostname],
            principal=principal,
-            passwd_fname=passwd_fname
+            passwd_fname=passwd_fname,
+            resubmit_timeout=120,
+        )
+    except Exception as e:
+        logger.exception("certmonger request failed")
+        raise ScriptError(
+            "{} request for host certificate failed: {}".format(
+                cmonger.service_name, e
+            ),
+            rval=CLIENT_INSTALL_ERROR
        )
-    except Exception as ex:
-        logger.error(
-            "%s request for host certificate failed: %s",
-            cmonger.service_name, ex)


 def configure_sssd_conf(
--- a/ipatests/test_integration/test_user_permissions.py
+++ b/ipatests/test_integration/test_user_permissions.py
@ -142,10 +142,23 @@ class TestInstallClientNoAdmin(IntegrationTest):
        user_kinit = "%s\n%s\n%s\n" % (password, password, password)
        self.master.run_command(['kinit', username],
                                stdin_text=user_kinit)
-        tasks.install_client(self.master, client, user=username,
-                             password=password)
+        tasks.install_client(
+            self.master, client,
+            extra_args=['--request-cert'],
+            user=username, password=password
+        )
        msg = "args=['/usr/bin/getent', 'passwd', '%s@%s']" % \
              (username, client.domain.name)
        install_log = client.get_file_contents(paths.IPACLIENT_INSTALL_LOG,
                                               encoding='utf-8')
        assert msg in install_log
+
+        # check that user is able to request a host cert, too
+        result = tasks.run_certutil(client, ['-L'], paths.IPA_NSSDB_DIR)
+        assert 'Local IPA host' in result.stdout_text
+        result = tasks.run_certutil(
+            client,
+            ['-K', '-f', paths.IPA_NSSDB_PWDFILE_TXT],
+            paths.IPA_NSSDB_DIR
+        )
+        assert 'Local IPA host' in result.stdout_text