Skip CS.cfg update if cert nickname not known

After CA certificate renewal, the ``renew_ca_cert`` helper updates certificate data in CS.cfg. An unrecognised nickname will raise ``KeyError``. To allow the helper to be used for arbitrary certificates (e.g. lightweight CAs), do not fail if the nickname is unrecognised - just skip the update. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-06-17 13:33:26 +10:00 · 2016-06-17 13:33:26 +10:00 · 67f13c82d8
commit 67f13c82d8
parent f0b1e37d2e
3 changed files with 9 additions and 8 deletions
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -1241,8 +1241,9 @@ class CAInstance(DogtagInstance):
        except Exception as e:
            syslog.syslog(syslog.LOG_ERR, "Failed to backup CS.cfg: %s" % e)

-        DogtagInstance.update_cert_cs_cfg(
-            nickname, cert, directives, paths.CA_CS_CFG_PATH)
+        if nickname in directives:
+            DogtagInstance.update_cert_cs_cfg(
+                directives[nickname], cert, paths.CA_CS_CFG_PATH)

    def __create_ds_db(self):
        '''
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@ -370,21 +370,20 @@ class DogtagInstance(service.Service):
            cmonger.stop()

    @staticmethod
-    def update_cert_cs_cfg(nickname, cert, directives, cs_cfg):
+    def update_cert_cs_cfg(directive, cert, cs_cfg):
        """
        When renewing a Dogtag subsystem certificate the configuration file
        needs to get the new certificate as well.

-        nickname is one of the known nicknames.
+        ``directive`` is the directive to update in CS.cfg
        cert is a DER-encoded certificate.
-        directives is the list of directives to be updated for the subsystem
        cs_cfg is the path to the CS.cfg file
        """

        with stopped_service('pki-tomcatd', 'pki-tomcat'):
            installutils.set_directive(
                cs_cfg,
-                directives[nickname],
+                directive,
                base64.b64encode(cert),
                quotes=False,
                separator='=')
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@ -348,8 +348,9 @@ class KRAInstance(DogtagInstance):
            'subsystemCert cert-pki-kra': 'kra.subsystem.cert',
            'Server-Cert cert-pki-ca': 'kra.sslserver.cert'}

-        DogtagInstance.update_cert_cs_cfg(
-            nickname, cert, directives, paths.KRA_CS_CFG_PATH)
+        if nickname in directives:
+            DogtagInstance.update_cert_cs_cfg(
+                directives[nickname], cert, paths.KRA_CS_CFG_PATH)

    def __enable_instance(self):
        self.ldap_enable('KRA', self.fqdn, None, self.suffix)