dogtaginstance: add profile to tracking requests

Enabling "fresh" renewals (c.f. "renewal"-based renewals that reference the expired certificate and its associated request object) will improve renewal robustness. To use fresh renewals the tracking request must record the profile to be used. Make dogtaginstance record the profile when creating tracking requests for both CA and KRA. Note that 'Server-Cert cert-pki-ca' and the 'IPA RA' both use profile 'caServerCert', which is the default (according to dogtag-ipa-renew-agent which is part of Certmonger). So we do not need any special handling for those certificates. This commit does not handle upgrade. It will be handled in a subsequent commit. Part of: https://pagure.io/freeipa/issue/7991 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-05-17 16:04:14 +10:00 · 2019-05-17 16:04:14 +10:00 · 3c388f5a22
commit 3c388f5a22
parent e771fa59ff
3 changed files with 18 additions and 8 deletions
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -267,10 +267,12 @@ class CAInstance(DogtagInstance):
       2 = have signed cert, continue installation
    """

-    tracking_reqs = ('auditSigningCert cert-pki-ca',
-                     'ocspSigningCert cert-pki-ca',
-                     'subsystemCert cert-pki-ca',
-                     'caSigningCert cert-pki-ca')
+    tracking_reqs = {
+        'auditSigningCert cert-pki-ca': 'caSignedLogCert',
+        'ocspSigningCert cert-pki-ca': 'caOCSPCert',
+        'subsystemCert cert-pki-ca': 'caSubsystemCert',
+        'caSigningCert cert-pki-ca': 'caCACert',
+    }
    server_cert_name = 'Server-Cert cert-pki-ca'
    # The following must be aligned with the RewriteRule defined in
    # install/share/ipa-pki-proxy.conf.template
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@ -95,7 +95,12 @@ class DogtagInstance(service.Service):
    CA, KRA, and eventually TKS and TPS.
    """

-    tracking_reqs = None
+    # Mapping of nicknames for tracking requests, and the profile to use for
+    # that certificate.  'configure_renewal()' reads this dict and adds the
+    # profile if configured.  Certificates that use the default profile
+    # ("caServerCert", as defined by dogtag-ipa-renew-agent which is part of
+    # Certmonger) are omitted.
+    tracking_reqs = dict()
    server_cert_name = None

    # token for CA and subsystem certificates. For now, only internal token
@ -330,6 +335,7 @@ class DogtagInstance(service.Service):
                    pin=pin,
                    pre_command='stop_pkicad',
                    post_command='renew_ca_cert "%s"' % nickname,
+                    profile=self.tracking_reqs[nickname],
                )
            except RuntimeError as e:
                logger.error(
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@ -60,9 +60,11 @@ class KRAInstance(DogtagInstance):
    be the same for both the CA and KRA.
    """

-    tracking_reqs = ('auditSigningCert cert-pki-kra',
-                     'transportCert cert-pki-kra',
-                     'storageCert cert-pki-kra')
+    tracking_reqs = {
+        'auditSigningCert cert-pki-kra': 'caInternalAuthAuditSigningCert',
+        'transportCert cert-pki-kra': 'caInternalAuthTransportCert',
+        'storageCert cert-pki-kra': 'caInternalAuthDRMstorageCert',
+    }

    def __init__(self, realm):
        super(KRAInstance, self).__init__(