Use dogtag-ipa-ca-renew-agent to retrieve renewed certificates from LDAP.

Before, this was done by dogtag-ipa-retrieve-agent-submit.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
This commit is contained in:
Jan Cholasta 2013-10-16 08:08:57 +00:00 committed by Petr Viktorin
parent bbb2af5016
commit babddaaee8
2 changed files with 27 additions and 16 deletions

View File

@ -369,7 +369,7 @@ def get_pin(token, dogtag_constants=None):
return None return None
def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, pre_command, def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, pre_command,
post_command): post_command, profile=None):
""" """
Tell certmonger to start tracking a dogtag CA certificate. These Tell certmonger to start tracking a dogtag CA certificate. These
are handled differently because their renewal must be done directly are handled differently because their renewal must be done directly
@ -423,12 +423,9 @@ def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, pre_command,
args.append("-P") args.append("-P")
args.append(pin) args.append(pin)
if ca == 'dogtag-ipa-retrieve-agent-submit': if profile:
# We cheat and pass in the nickname as the profile when
# renewing on a clone. The submit otherwise doesn't pass in the
# nickname and we need some way to find the right entry in LDAP.
args.append("-T") args.append("-T")
args.append(nickname) args.append(profile)
(stdout, stderr, returncode) = ipautil.run(args, nolog=[pin]) (stdout, stderr, returncode) = ipautil.run(args, nolog=[pin])

View File

@ -917,7 +917,15 @@ class CAInstance(service.Service):
On upgrades this needs to be called from ipa-upgradeconfig. On upgrades this needs to be called from ipa-upgradeconfig.
""" """
try: try:
certmonger.dogtag_start_tracking('dogtag-ipa-retrieve-agent-submit', 'ipaCert', None, '/etc/httpd/alias/pwdfile.txt', '/etc/httpd/alias', None, 'restart_httpd') certmonger.dogtag_start_tracking(
ca='dogtag-ipa-ca-renew-agent',
nickname='ipaCert',
pin=None,
pinfile='/etc/httpd/alias/pwdfile.txt',
secdir='/etc/httpd/alias',
pre_command=None,
post_command='restart_httpd',
profile='ipaRetrieval')
except (ipautil.CalledProcessError, RuntimeError), e: except (ipautil.CalledProcessError, RuntimeError), e:
root_logger.error( root_logger.error(
"certmonger failed to start tracking certificate: %s" % str(e)) "certmonger failed to start tracking certificate: %s" % str(e))
@ -1356,7 +1364,7 @@ class CAInstance(service.Service):
obj = bus.get_object('org.fedorahosted.certmonger', obj = bus.get_object('org.fedorahosted.certmonger',
'/org/fedorahosted/certmonger') '/org/fedorahosted/certmonger')
iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
path = iface.find_ca_by_nickname('dogtag-ipa-retrieve-agent-submit') path = iface.find_ca_by_nickname('dogtag-ipa-ca-renew-agent')
if path: if path:
iface.remove_known_ca(path) iface.remove_known_ca(path)
@ -1460,11 +1468,11 @@ class CAInstance(service.Service):
obj = bus.get_object('org.fedorahosted.certmonger', obj = bus.get_object('org.fedorahosted.certmonger',
'/org/fedorahosted/certmonger') '/org/fedorahosted/certmonger')
iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
path = iface.find_ca_by_nickname('dogtag-ipa-retrieve-agent-submit') path = iface.find_ca_by_nickname('dogtag-ipa-ca-renew-agent')
if not path: if not path:
iface.add_known_ca( iface.add_known_ca(
'dogtag-ipa-retrieve-agent-submit', 'dogtag-ipa-ca-renew-agent',
'/usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit', []) '/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit', [])
def configure_clone_renewal(self): def configure_clone_renewal(self):
""" """
@ -1481,12 +1489,18 @@ class CAInstance(service.Service):
'subsystemCert cert-pki-ca']: 'subsystemCert cert-pki-ca']:
try: try:
certmonger.dogtag_start_tracking( certmonger.dogtag_start_tracking(
'dogtag-ipa-retrieve-agent-submit', nickname, pin, None, ca='dogtag-ipa-ca-renew-agent',
self.dogtag_constants.ALIAS_DIR, 'stop_pkicad', nickname=nickname,
'restart_pkicad "%s"' % nickname) pin=pin,
pinfile=None,
secdir=self.dogtag_constants.ALIAS_DIR,
pre_command='stop_pkicad',
post_command='restart_pkicad "%s"' % nickname,
profile='ipaRetrieval')
except (ipautil.CalledProcessError, RuntimeError), e: except (ipautil.CalledProcessError, RuntimeError), e:
root_logger.error( root_logger.error(
"certmonger failed to start tracking certificate: %s" % str(e)) "certmonger failed to start tracking certificate: "
"%s" % e)
# The agent renewal is configured in import_ra_cert which is called # The agent renewal is configured in import_ra_cert which is called
# after the HTTP instance is created. # after the HTTP instance is created.