httpinstance: retry request without ipa-ca.$DOMAIN dnsName on failure

In the migration case of replica installation, if the CA server is an older version it may not support the ipa-ca.$DOMAIN dnsName in the HTTP cert (it is a special case in the cert_request command). Therefore if the request fails, try it again without the ipa-ca.$DOMAIN dnsName. Part of: https://pagure.io/freeipa/issue/8186 Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2025-01-26 16:16:31 -06:00 · 2020-06-09 16:06:42 +10:00 · 2020-06-09 16:06:42 +10:00 · 9d9012f682
commit 9d9012f682
parent 451cbae160
2 changed files with 17 additions and 3 deletions
--- a/ipalib/install/certmonger.py
+++ b/ipalib/install/certmonger.py
@ -350,7 +350,7 @@ def request_and_wait_for_cert(
        certpath, subject, principal, nickname=None, passwd_fname=None,
        dns=None, ca='IPA', profile=None,
        pre_command=None, post_command=None, storage='NSSDB', perms=None,
-        resubmit_timeout=0):
+        resubmit_timeout=0, stop_tracking_on_error=False):
    """Request certificate, wait and possibly resubmit failing requests

    Submit a cert request to certmonger and wait until the request has
@ -403,6 +403,9 @@ def request_and_wait_for_cert(
            time.sleep(10)
            resubmit_request(req_id)

+    if stop_tracking_on_error:
+        stop_tracking(request_id=req_id)
+
    raise RuntimeError(
        "Certificate issuance failed ({}: {})".format(state, ca_error)
    )
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@ -375,7 +375,11 @@ class HTTPInstance(service.Service):
            else:
                prev_helper = None
            try:
-                certmonger.request_and_wait_for_cert(
+                # In migration case, if CA server is older version it may not
+                # have codepaths to support the ipa-ca.$DOMAIN dnsName in HTTP
+                # cert.  Therefore if request fails, try again without the
+                # ipa-ca.$DOMAIN dnsName.
+                args = dict(
                    certpath=(paths.HTTPD_CERT_FILE, paths.HTTPD_KEY_FILE),
                    principal=self.principal,
                    subject=str(DN(('CN', self.fqdn), self.subject_base)),
@ -385,8 +389,15 @@ class HTTPInstance(service.Service):
                    post_command='restart_httpd',
                    storage='FILE',
                    passwd_fname=key_passwd_file,
-                    resubmit_timeout=api.env.certmonger_wait_timeout
+                    resubmit_timeout=api.env.certmonger_wait_timeout,
+                    stop_tracking_on_error=True,
                )
+                try:
+                    certmonger.request_and_wait_for_cert(**args)
+                except Exception as e:
+                    args['dns'] = [self.fqdn]  # remove ipa-ca.$DOMAIN
+                    args['stop_tracking_on_error'] = False
+                    certmonger.request_and_wait_for_cert(**args)
            finally:
                if prev_helper is not None:
                    certmonger.modify_ca_helper('IPA', prev_helper)