ipa-cacert-manage: handle alternative tracking request CA name

For an externally-signed CA, if an earlier run of ipa-cacert-manage was interrupted, the CA name in the IPA CA tracking request may have been left as "dogtag-ipa-ca-renew-agent-reuse" (it gets reverted to "dogtag-ipa-ca-renew-agent" at the end of the CSR generation procedure). `ipa-cacert-manage renew` currently only looks for a tracking request with the "dogtag-ipa-ca-renew-agent" CA, so in this scenario the program fails with message "CA certificate is not tracked by certmonger". To handle this scenario, if the IPA CA tracking request is not found, try once again but with the "dogtag-ipa-ca-renew-agent-renew" CA name. Part of: https://pagure.io/freeipa/issue/6858 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-09-25 17:11:46 +10:00
parent d43cf35cca
commit 49c0a7b4d4
1 changed files with 18 additions and 8 deletions
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -148,20 +148,30 @@ class CACertManage(admintool.AdminTool):

        api.Backend.ldap2.connect(bind_pw=password)

+    def _get_ca_request_id(self, ca_name):
+        """Lookup tracking request for IPA CA, using given ca-name."""
+        criteria = {
+            'cert-database': paths.PKI_TOMCAT_ALIAS_DIR,
+            'cert-nickname': self.cert_nickname,
+            'ca-name': ca_name,
+        }
+        return certmonger.get_request_id(criteria)
+
    def renew(self):
        ca = cainstance.CAInstance(api.env.realm)
        if not ca.is_configured():
            raise admintool.ScriptError("CA is not configured on this system")

-        criteria = {
-            'cert-database': paths.PKI_TOMCAT_ALIAS_DIR,
-            'cert-nickname': self.cert_nickname,
-            'ca-name': 'dogtag-ipa-ca-renew-agent',
-        }
-        self.request_id = certmonger.get_request_id(criteria)
+        self.request_id = self._get_ca_request_id('dogtag-ipa-ca-renew-agent')
        if self.request_id is None:
-            raise admintool.ScriptError(
-                "CA certificate is not tracked by certmonger")
+            # if external CA renewal was interrupted, the request may have
+            # been left with the "dogtag-ipa-ca-renew-agent-reuse" CA;
+            # look for it too
+            self.request_id = \
+                self._get_ca_request_id('dogtag-ipa-ca-renew-agent-reuse')
+            if self.request_id is None:
+                raise admintool.ScriptError(
+                    "CA certificate is not tracked by certmonger")
        logger.debug(
            "Found certmonger request id %r", self.request_id)