Dogtag: Remove set_audit_renewal step

The step set_audit_renewal modifies Dogtag's caSignedLogCert.cfg to bump
renewal to 2 years. The problem was fixed in Dogtag upstream in 2012 before
Dogtag 10.0 came out, see
f5b8ea5b08

The update step would also no longer work. Profiles have been migrated
to LDAP several FreeIPA releases ago. pkispawn populates LDAP with all
of Dogtag's default profiles. FreeIPA does not overwrite any existing
profiles.

Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Christian Heimes 2020-09-25 11:53:28 +02:00
parent 9eccaf6269
commit 8882680ee1
2 changed files with 0 additions and 52 deletions

View File

@ -435,8 +435,6 @@ class CAInstance(DogtagInstance):
self.__import_ra_cert)
if not ra_only:
self.step("setting audit signing renewal to 2 years", self.set_audit_renewal)
self.step("restarting certificate server", self.restart_instance)
if not self.clone:
self.step("publishing the CA certificate",
self.__export_ca_chain)
@ -1089,41 +1087,6 @@ class CAInstance(DogtagInstance):
if stop_certmonger:
services.knownservices.certmonger.stop()
def set_audit_renewal(self):
"""
The default renewal time for the audit signing certificate is
six months rather than two years. Fix it. This is BZ 843979.
"""
# Check the default validity period of the audit signing cert
# and set it to 2 years if it is 6 months.
cert_range = directivesetter.get_directive(
paths.CASIGNEDLOGCERT_CFG,
'policyset.caLogSigningSet.2.default.params.range',
separator='='
)
logger.debug(
'caSignedLogCert.cfg profile validity range is %s', cert_range)
if cert_range == "180":
directivesetter.set_directive(
paths.CASIGNEDLOGCERT_CFG,
'policyset.caLogSigningSet.2.default.params.range',
'720',
quotes=False,
separator='='
)
directivesetter.set_directive(
paths.CASIGNEDLOGCERT_CFG,
'policyset.caLogSigningSet.2.constraint.params.range',
'720',
quotes=False,
separator='='
)
logger.debug(
'updated caSignedLogCert.cfg profile validity range to 720')
return True
return False
def is_renewal_master(self, fqdn=None):
if fqdn is None:
fqdn = api.env.host

View File

@ -502,20 +502,6 @@ def ca_disable_publish_cert(ca):
return True # restart needed
def upgrade_ca_audit_cert_validity(ca):
"""
Update the Dogtag audit signing certificate.
Returns True if restart is needed, False otherwise.
"""
logger.info('[Verifying that CA audit signing cert has 2 year validity]')
if ca.is_configured():
return ca.set_audit_renewal()
else:
logger.info('CA is not configured')
return False
def ca_initialize_hsm_state(ca):
"""Initializse HSM state as False / internal token
"""
@ -1774,7 +1760,6 @@ def upgrade_configuration():
ca_restart = any([
ca_restart,
ca_upgrade_schema(ca),
upgrade_ca_audit_cert_validity(ca),
certificate_renewal_update(ca, kra, ds, http),
ca_enable_pkix(ca),
ca_configure_profiles_acl(ca),