IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage

Browse Source 
This should not normally happen, but if it does, report an error instead of
waiting idefinitely for the certificate to appear.

https://fedorahosted.org/freeipa/ticket/4629

Reviewed-By: David Kupka <dkupka@redhat.com>
This commit is contained in:
Jan Cholasta 2014-10-14 11:26:15 +02:00 committed by Martin Kosek
parent 364d466fd7
commit 2cf0f0a658
2 changed files with 19 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
install/certmonger/dogtag-ipa-ca-renew-agent-submit
View File

@ -311,25 +311,11 @@ def retrieve_or_reuse_cert():
return (ISSUED, cert) return (ISSUED, cert)
def retrieve_cert(): def retrieve_cert_continuous():
""" """
Retrieve new certificate from LDAP. Retrieve new certificate from LDAP. Repeat every eight hours until the
certificate is available.
""" """
operation = os.environ.get('CERTMONGER_OPERATION')
if operation == 'SUBMIT':
attempts = 0
elif operation == 'POLL':
cookie = os.environ.get('CERTMONGER_CA_COOKIE')
if not cookie:
return (UNCONFIGURED, "Cookie not provided")
try:
attempts = int(cookie)
except ValueError:
return (UNCONFIGURED, "Invalid cookie: %r" % cookie)
else:
return (OPERATION_NOT_SUPPORTED_BY_HELPER,)
old_cert = os.environ.get('CERTMONGER_CERTIFICATE') old_cert = os.environ.get('CERTMONGER_CERTIFICATE')
if old_cert: if old_cert:
old_cert = x509.normalize_certificate(old_cert) old_cert = x509.normalize_certificate(old_cert)
@ -340,11 +326,19 @@ def retrieve_cert():
new_cert = x509.normalize_certificate(result[1]) new_cert = x509.normalize_certificate(result[1])
if new_cert == old_cert: if new_cert == old_cert:
attempts += 1 syslog.syslog(syslog.LOG_INFO, "Updated certificate not available")
if attempts < 4: # No cert available yet, tell certmonger to wait another 8 hours
syslog.syslog(syslog.LOG_INFO, "Updated certificate not available") return (WAIT_WITH_DELAY, 8 * 60 * 60, '')
# No cert available yet, tell certmonger to wait another 8 hours
return (WAIT_WITH_DELAY, 8 * 60 * 60, str(attempts)) return result
def retrieve_cert():
"""
Retrieve new certificate from LDAP.
"""
result = call_handler(retrieve_cert_continuous)
if result[0] == WAIT_WITH_DELAY:
return (REJECTED, "Updated certificate not available")
return result return result
@ -451,7 +445,7 @@ def main():
if ca.is_renewal_master(): if ca.is_renewal_master():
handler = request_and_store_cert handler = request_and_store_cert
else: else:
handler = retrieve_cert handler = retrieve_cert_continuous
res = call_handler(handler) res = call_handler(handler)
for item in res[1:]: for item in res[1:]:

3
ipaserver/install/ipa_cacert_manage.py
View File

@ -297,7 +297,8 @@ class CACertManage(admintool.AdminTool):
raise admintool.ScriptError( raise admintool.ScriptError(
"Resubmitting certmonger request '%s' timed out, " "Resubmitting certmonger request '%s' timed out, "
"please check the request manually" % self.request_id) "please check the request manually" % self.request_id)
if state != 'MONITORING': ca_error = certmonger.get_request_value(self.request_id, 'ca-error')
if state != 'MONITORING' or ca_error:
raise admintool.ScriptError( raise admintool.ScriptError(
"Error resubmitting certmonger request '%s', " "Error resubmitting certmonger request '%s', "
"please check the request manually" % self.request_id) "please check the request manually" % self.request_id)