Make the default dogtag-ipa-ca-renew-agent behavior depend on CA setup.

On CA masters, a certificate is requested and stored to LDAP. On CA clones, the certificate is retrieved from LDAP. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2025-02-03 12:11:25 -06:00 · 2013-10-16 08:55:17 +00:00 · 2013-10-16 08:55:17 +00:00 · b5d082ec4d
commit b5d082ec4d
parent c3169add3b
2 changed files with 8 additions and 5 deletions
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@ -36,6 +36,7 @@ from ipapython import ipautil
 from ipapython.dn import DN
 from ipalib import api, errors, pkcs10, x509
 from ipaserver.plugins.ldap2 import ldap2
+from ipaserver.install import cainstance, certs

 # This is a certmonger CA helper script for IPA CA subsystem cert renewal. See
 # https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/submit.txt for more
@ -256,7 +257,11 @@ def main():
    if profile:
        handler = handlers.get(profile, request_and_store_cert)
    else:
-        handler = request_and_store_cert
+        ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
+        if ca.is_renewal_master():
+            handler = request_and_store_cert
+        else:
+            handler = retrieve_cert

    res = handler()
    for item in res[1:]:
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -925,8 +925,7 @@ class CAInstance(service.Service):
                pinfile='/etc/httpd/alias/pwdfile.txt',
                secdir='/etc/httpd/alias',
                pre_command=None,
-                post_command='restart_httpd',
-                profile='ipaRetrieval')
+                post_command='restart_httpd')
        except (ipautil.CalledProcessError, RuntimeError), e:
            root_logger.error(
                "certmonger failed to start tracking certificate: %s" % str(e))
@ -1504,8 +1503,7 @@ class CAInstance(service.Service):
                    pinfile=None,
                    secdir=self.dogtag_constants.ALIAS_DIR,
                    pre_command='stop_pkicad',
-                    post_command='restart_pkicad "%s"' % nickname,
-                    profile='ipaRetrieval')
+                    post_command='restart_pkicad "%s"' % nickname)
            except (ipautil.CalledProcessError, RuntimeError), e:
                root_logger.error(
                    "certmonger failed to start tracking certificate: "