upgrade: update KRA tracking requests

The upgrade routine checks tracking requests for CA system certificates, IPA RA and HTTP/LDAP/KDC service certificates. If a tracking request matching our expectations is not found, we stop tracking all certificates, then create new tracking requests with the correct configuration. But the KRA was left out. Add checks for KRA certificates, and remove/recreate KRA tracking requests when appropriate. Part of: https://pagure.io/freeipa/issue/7991 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-06-26 14:08:48 +10:00
parent 4f4e2f96b0
commit 482866e47e
1 changed files with 12 additions and 3 deletions
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -5,6 +5,7 @@
 from __future__ import print_function, absolute_import

 import errno
+import itertools
 import logging
 import re
 import os
@@ -964,7 +965,7 @@ def named_add_crypto_policy():
    return True


-def certificate_renewal_update(ca, ds, http):
+def certificate_renewal_update(ca, kra, ds, http):
    """
    Update certmonger certificate renewal configuration.
    """
@@ -974,7 +975,11 @@ def certificate_renewal_update(ca, ds, http):

    requests = []

-    for nick, profile in cainstance.CAInstance.tracking_reqs.items():
+    dogtag_reqs = ca.tracking_reqs.items()
+    if kra.is_installed():
+        dogtag_reqs = itertools.chain(dogtag_reqs, kra.tracking_reqs.items())
+
+    for nick, profile in dogtag_reqs:
        req = {
            'cert-database': paths.PKI_TOMCAT_ALIAS_DIR,
            'cert-nickname': nick,
@@ -1056,6 +1061,8 @@ def certificate_renewal_update(ca, ds, http):
    # Ok, now we need to stop tracking, then we can start tracking them
    # again with new configuration:
    ca.stop_tracking_certificates()
+    if kra.is_installed():
+        kra.stop_tracking_certificates()
    ds.stop_tracking_certificates(serverid)
    http.stop_tracking_certificates()

@@ -1069,6 +1076,8 @@ def certificate_renewal_update(ca, ds, http):
    ca.configure_renewal()
    ca.configure_agent_renewal()
    ca.add_lightweight_ca_tracking_requests()
+    if kra.is_installed():
+        kra.configure_renewal()
    ds.start_tracking_certificates(serverid)
    http.start_tracking_certificates()

@@ -2050,7 +2059,7 @@ def upgrade_configuration():
        ca_restart,
        ca_upgrade_schema(ca),
        upgrade_ca_audit_cert_validity(ca),
-        certificate_renewal_update(ca, ds, http),
+        certificate_renewal_update(ca, kra, ds, http),
        ca_enable_pkix(ca),
        ca_configure_profiles_acl(ca),
        ca_configure_lightweight_ca_acls(ca),