Fix certmonger configuration in installer code

https://fedorahosted.org/freeipa/ticket/4619

Reviewed-By: David Kupka <dkupka@redhat.com>

install/tools/ipa-server-install

@@ -561,14 +561,13 @@ def uninstall():
 
     kra_instance = krainstance.KRAInstance(
         api.env.realm, dogtag_constants=dogtag_constants)
-    kra_instance.stop_tracking_certificates(dogtag_constants)
+    kra_instance.stop_tracking_certificates()
     if kra_instance.is_installed():
         kra_instance.uninstall()
 
     ca_instance = cainstance.CAInstance(
         api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants)
-    ca_instance.stop_tracking_certificates(dogtag_constants)
-    ca_instance.stop_tracking_agent_certificate(dogtag_constants)
+    ca_instance.stop_tracking_certificates()
     if ca_instance.is_configured():
         ca_instance.uninstall()
 

install/tools/ipa-upgradeconfig

@@ -727,7 +727,7 @@ def certificate_renewal_update(ca):
 
     # Ok, now we need to stop tracking, then we can start tracking them
     # again with new configuration:
-    ca.stop_tracking_certificates(dogtag_constants)
+    ca.stop_tracking_certificates()
 
     if not sysupgrade.get_upgrade_state('dogtag',
                                         'certificate_renewal_update_1'):

ipaserver/install/cainstance.py

@@ -330,6 +330,12 @@ class CAInstance(DogtagInstance):
        2 = have signed cert, continue installation
     """
 
+    tracking_reqs = (('auditSigningCert cert-pki-ca', None),
+                     ('ocspSigningCert cert-pki-ca', None),
+                     ('subsystemCert cert-pki-ca', None),
+                     ('caSigningCert cert-pki-ca', 'ipaCACertRenewal'))
+    server_cert_name = 'Server-Cert cert-pki-ca'
+
     def __init__(self, realm=None, ra_db=None, dogtag_constants=None,
                  host_name=None, dm_password=None, ldapi=True):
         if dogtag_constants is None:
@@ -363,11 +369,6 @@ class CAInstance(DogtagInstance):
             self.ra_agent_pwd = None
         self.ra_cert = None
         self.requestId = None
-        self.tracking_reqs = (('Server-Cert cert-pki-ca', None),
-                              ('auditSigningCert cert-pki-ca', None),
-                              ('ocspSigningCert cert-pki-ca', None),
-                              ('subsystemCert cert-pki-ca', None),
-                              ('caSigningCert cert-pki-ca', 'ipaCACertRenewal'))
         self.log = log_mgr.get_logger(self)
 
     def configure_instance(self, host_name, domain, dm_password,
@@ -452,7 +453,7 @@ class CAInstance(DogtagInstance):
                 self.step("issuing RA agent certificate", self.__issue_ra_cert)
                 self.step("adding RA agent as a trusted user", self.__configure_ra)
             self.step("configure certmonger for renewals", self.configure_certmonger_renewal)
-            self.step("configure certificate renewals", self.configure_cert_renewal)
+            self.step("configure certificate renewals", self.configure_renewal)
             if not self.clone:
                 self.step("configure RA certificate renewal", self.configure_agent_renewal)
             self.step("configure Server-Cert certificate renewal", self.track_servercert)
@@ -1311,27 +1312,6 @@ class CAInstance(DogtagInstance):
         fd.close()
         os.chmod(location, 0444)
 
-    @staticmethod
-    def configure_certmonger_renewal():
-        """
-        Create a new CA type for certmonger that will retrieve updated
-        certificates from the dogtag master server.
-        """
-        services.knownservices.messagebus.start()
-        cmonger = services.knownservices.certmonger
-        cmonger.enable()
-        cmonger.start()
-
-        bus = dbus.SystemBus()
-        obj = bus.get_object('org.fedorahosted.certmonger',
-                             '/org/fedorahosted/certmonger')
-        iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
-        path = iface.find_ca_by_nickname('dogtag-ipa-ca-renew-agent')
-        if not path:
-            iface.add_known_ca(
-                'dogtag-ipa-ca-renew-agent',
-                paths.DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT, [])
-
     def configure_agent_renewal(self):
         try:
             certmonger.dogtag_start_tracking(
@@ -1346,61 +1326,18 @@ class CAInstance(DogtagInstance):
             self.log.error(
                 "certmonger failed to start tracking certificate: %s", e)
 
-    def __get_ca_pin(self):
-        try:
-            return certmonger.get_pin(
-                'internal',
-                dogtag_constants=self.dogtag_constants)
-        except IOError, e:
-            raise RuntimeError(
-                'Unable to determine PIN for CA instance: %s' % e)
+    def stop_tracking_certificates(self):
+        """Stop tracking our certificates. Called on uninstall.
+        """
+        super(CAInstance, self).stop_tracking_certificates(False)
 
-    def configure_cert_renewal(self):
-        """
-        Configure system certificates for renewal.
-        """
-        reqs = (
-            ('auditSigningCert cert-pki-ca', None),
-            ('ocspSigningCert cert-pki-ca',  None),
-            ('subsystemCert cert-pki-ca',    None),
-            ('caSigningCert cert-pki-ca',    'ipaCACertRenewal'),
-        )
-
-        DogtagInstance.configure_renewal(self, reqs)
-
-    def track_servercert(self):
-        """
-        Specifically do not tell certmonger to restart the CA. This will be
-        done by the renewal script, renew_ca_cert once all the subsystem
-        certificates are renewed.
-        """
-        pin = self.__get_ca_pin()
-        try:
-            certmonger.dogtag_start_tracking(
-                ca='dogtag-ipa-renew-agent',
-                nickname='Server-Cert cert-pki-ca',
-                pin=pin,
-                pinfile=None,
-                secdir=self.dogtag_constants.ALIAS_DIR,
-                pre_command=None,
-                post_command=None)
-        except RuntimeError, e:
-            self.log.error(
-                "certmonger failed to start tracking certificate: %s", e)
-
-    @staticmethod
-    def stop_tracking_agent_certificate(dogtag_constants):
-        """Stop tracking agent certificate. Called on uninstall.
-        """
-        cmonger = services.knownservices.certmonger
-        services.knownservices.messagebus.start()
-        cmonger.start()
         try:
             certmonger.stop_tracking(paths.HTTPD_ALIAS_DIR, nickname='ipaCert')
         except RuntimeError, e:
             root_logger.error(
                 "certmonger failed to stop tracking certificate: %s", e)
-        cmonger.stop()
+
+        services.knownservices.certmonger.stop()
 
     def enable_subject_key_identifier(self):
         """

ipaserver/install/dogtaginstance.py

@@ -22,6 +22,7 @@ import os
 import shutil
 import tempfile
 import traceback
+import dbus
 
 from pki.client import PKIConnection
 import pki.system
@@ -96,6 +97,9 @@ class DogtagInstance(service.Service):
     CA, KRA, and eventually TKS and TPS.
     """
 
+    tracking_reqs = None
+    server_cert_name = None
+
     def __init__(self, realm, subsystem, service_desc, dogtag_constants=None,
                  host_name=None, dm_password=None, ldapi=True):
         """Initializer"""
@@ -126,7 +130,6 @@ class DogtagInstance(service.Service):
         self.server_root = dogtag_constants.SERVER_ROOT
         self.subsystem = subsystem
         self.security_domain_name = "IPA"
-        self.tracking_reqs = None
 
         # replication parameters
         self.master_host = None
@@ -293,6 +296,27 @@ class DogtagInstance(service.Service):
         with open(paths.HTTPD_IPA_PKI_PROXY_CONF, "w") as fd:
             fd.write(template)
 
+    @staticmethod
+    def configure_certmonger_renewal():
+        """
+        Create a new CA type for certmonger that will retrieve updated
+        certificates from the dogtag master server.
+        """
+        cmonger = services.knownservices.certmonger
+        cmonger.enable()
+        services.knownservices.messagebus.start()
+        cmonger.start()
+
+        bus = dbus.SystemBus()
+        obj = bus.get_object('org.fedorahosted.certmonger',
+                             '/org/fedorahosted/certmonger')
+        iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
+        path = iface.find_ca_by_nickname('dogtag-ipa-ca-renew-agent')
+        if not path:
+            iface.add_known_ca(
+                'dogtag-ipa-ca-renew-agent',
+                paths.DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT, [])
+
     def __get_pin(self):
         try:
             return certmonger.get_pin('internal',
@@ -302,22 +326,11 @@ class DogtagInstance(service.Service):
                 'Unable to determine PIN for the Dogtag instance: %s', e)
             raise RuntimeError(e)
 
-    def configure_renewal(self, reqs=None):
-        """ Configure certmonger to renew system certs
-
-        @param reqs: list of nicknames and profiles
-        """
-        cmonger = services.knownservices.certmonger
-        cmonger.enable()
-        services.knownservices.messagebus.start()
-        cmonger.start()
-
+    def configure_renewal(self):
+        """ Configure certmonger to renew system certs """
         pin = self.__get_pin()
 
-        if reqs is None:
-            reqs = self.tracking_reqs
-
-        for nickname, profile in reqs:
+        for nickname, profile in self.tracking_reqs:
             try:
                 certmonger.dogtag_start_tracking(
                     ca='dogtag-ipa-ca-renew-agent',
@@ -332,7 +345,27 @@ class DogtagInstance(service.Service):
                 self.log.error(
                     "certmonger failed to start tracking certificate: %s", e)
 
-    def stop_tracking_certificates(self, dogtag_constants, reqs=None):
+    def track_servercert(self):
+        """
+        Specifically do not tell certmonger to restart the CA. This will be
+        done by the renewal script, renew_ca_cert once all the subsystem
+        certificates are renewed.
+        """
+        pin = self.__get_pin()
+        try:
+            certmonger.dogtag_start_tracking(
+                ca='dogtag-ipa-renew-agent',
+                nickname=self.server_cert_name,
+                pin=pin,
+                pinfile=None,
+                secdir=self.dogtag_constants.ALIAS_DIR,
+                pre_command=None,
+                post_command=None)
+        except RuntimeError, e:
+            self.log.error(
+                "certmonger failed to start tracking certificate: %s" % e)
+
+    def stop_tracking_certificates(self, stop_certmonger=True):
         """Stop tracking our certificates. Called on uninstall.
         """
         self.print_msg(
@@ -343,18 +376,20 @@ class DogtagInstance(service.Service):
         services.knownservices.messagebus.start()
         cmonger.start()
 
-        if reqs is None:
-            reqs = self.tracking_reqs
+        nicknames = [nickname for nickname, profile in self.tracking_reqs]
+        if self.server_cert_name is not None:
+            nicknames.append(self.server_cert_name)
 
-        for nickname, _profile in reqs:
+        for nickname in nicknames:
             try:
                 certmonger.stop_tracking(
-                    dogtag_constants.ALIAS_DIR, nickname=nickname)
+                    self.dogtag_constants.ALIAS_DIR, nickname=nickname)
             except RuntimeError, e:
                 self.log.error(
                     "certmonger failed to stop tracking certificate: %s", e)
 
-        cmonger.stop()
+        if stop_certmonger:
+            cmonger.stop()
 
     @staticmethod
     def update_cert_cs_cfg(nickname, cert, directives, cs_cfg,

ipaserver/install/ipa_kra_install.py

@@ -122,7 +122,7 @@ class KRAUninstaller(KRAInstall):
 
         kra_instance = krainstance.KRAInstance(
             api.env.realm, dogtag_constants=dogtag_constants)
-        kra_instance.stop_tracking_certificates(dogtag_constants)
+        kra_instance.stop_tracking_certificates()
         if kra_instance.is_installed():
             kra_instance.uninstall()
 

ipaserver/install/krainstance.py

@@ -52,6 +52,10 @@ class KRAInstance(DogtagInstance):
     be the same for both the CA and KRA.
     """
 
+    tracking_reqs = (('auditSigningCert cert-pki-kra', None),
+                     ('transportCert cert-pki-kra', None),
+                     ('storageCert cert-pki-kra', None))
+
     def __init__(self, realm, dogtag_constants=None):
         if dogtag_constants is None:
             dogtag_constants = dogtag.configured_constants()
@@ -64,9 +68,6 @@ class KRAInstance(DogtagInstance):
         )
 
         self.basedn = DN(('o', 'kra'), ('o', 'ipaca'))
-        self.tracking_reqs = (('auditSigningCert cert-pki-kra', None),
-                              ('transportCert cert-pki-kra', None),
-                              ('storageCert cert-pki-kra', None))
         self.log = log_mgr.get_logger(self)
 
     def configure_instance(self, host_name, domain, dm_password,
@@ -111,6 +112,8 @@ class KRAInstance(DogtagInstance):
             self.step("add RA user to KRA agent group",
                       self.__add_ra_user_to_agent_group)
         self.step("restarting KRA", self.restart_instance)
+        self.step("configure certmonger for renewals",
+                  self.configure_certmonger_renewal)
         self.step("configure certificate renewals", self.configure_renewal)
         self.step("Configure HTTP to proxy connections",
                   self.http_proxy)