Make PKINIT certificate request logic consistent with other installers

The certmonger request handling code during pkinit setup actually never correctly handled situations when certificate request was rejected by the CA or CA was unreachable. This led to subtle errors caused by broken anonymous pkinit (e.g. failing WebUI logins) which are hard to debug. The code should behave as other service installers, e. g. use `request_and_wait_for_cert` method which raises hard error when request times out or is not granted by CA. On master contact Dogtag CA endpoint directly as is done in DS installation. https://pagure.io/freeipa/issue/6739 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-03-14 09:56:07 +01:00 · 2017-03-14 09:56:07 +01:00 · 95768de06f
commit 95768de06f
parent 46d4d534c0
1 changed files with 8 additions and 8 deletions
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@ -357,10 +357,15 @@ class KrbInstance(service.Service):
            subject = str(DN(('cn', self.fqdn), self.subject_base))
            krbtgt = "krbtgt/" + self.realm + "@" + self.realm
            certpath = (paths.KDC_CERT, paths.KDC_KEY)
+
            try:
-                reqid = certmonger.request_cert(certpath, subject, krbtgt,
-                                                dns=self.fqdn, storage='FILE',
-                                                profile='KDCs_PKINIT_Certs')
+                certmonger.request_and_wait_for_cert(
+                    certpath,
+                    subject,
+                    krbtgt,
+                    dns=self.fqdn,
+                    storage='FILE',
+                    profile='KDCs_PKINIT_Certs')
            except dbus.DBusException as e:
                # if the certificate is already tracked, ignore the error
                name = e.get_dbus_name()
@ -368,11 +373,6 @@ class KrbInstance(service.Service):
                    root_logger.error("Failed to initiate the request: %s", e)
                return

-            try:
-                certmonger.wait_for_request(reqid)
-            except RuntimeError as e:
-                root_logger.error("Failed to wait for request: %s", e)
-
        # Finally copy the cacert in the krb directory so we don't
        # have any selinux issues with the file context
        shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM)