mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
Use dogtag-ipa-ca-renew-agent to retrieve renewed certificates from LDAP.
Before, this was done by dogtag-ipa-retrieve-agent-submit. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
This commit is contained in:
parent
bbb2af5016
commit
babddaaee8
@ -369,7 +369,7 @@ def get_pin(token, dogtag_constants=None):
|
|||||||
return None
|
return None
|
||||||
|
|
||||||
def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, pre_command,
|
def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, pre_command,
|
||||||
post_command):
|
post_command, profile=None):
|
||||||
"""
|
"""
|
||||||
Tell certmonger to start tracking a dogtag CA certificate. These
|
Tell certmonger to start tracking a dogtag CA certificate. These
|
||||||
are handled differently because their renewal must be done directly
|
are handled differently because their renewal must be done directly
|
||||||
@ -423,12 +423,9 @@ def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, pre_command,
|
|||||||
args.append("-P")
|
args.append("-P")
|
||||||
args.append(pin)
|
args.append(pin)
|
||||||
|
|
||||||
if ca == 'dogtag-ipa-retrieve-agent-submit':
|
if profile:
|
||||||
# We cheat and pass in the nickname as the profile when
|
|
||||||
# renewing on a clone. The submit otherwise doesn't pass in the
|
|
||||||
# nickname and we need some way to find the right entry in LDAP.
|
|
||||||
args.append("-T")
|
args.append("-T")
|
||||||
args.append(nickname)
|
args.append(profile)
|
||||||
|
|
||||||
(stdout, stderr, returncode) = ipautil.run(args, nolog=[pin])
|
(stdout, stderr, returncode) = ipautil.run(args, nolog=[pin])
|
||||||
|
|
||||||
|
@ -917,7 +917,15 @@ class CAInstance(service.Service):
|
|||||||
On upgrades this needs to be called from ipa-upgradeconfig.
|
On upgrades this needs to be called from ipa-upgradeconfig.
|
||||||
"""
|
"""
|
||||||
try:
|
try:
|
||||||
certmonger.dogtag_start_tracking('dogtag-ipa-retrieve-agent-submit', 'ipaCert', None, '/etc/httpd/alias/pwdfile.txt', '/etc/httpd/alias', None, 'restart_httpd')
|
certmonger.dogtag_start_tracking(
|
||||||
|
ca='dogtag-ipa-ca-renew-agent',
|
||||||
|
nickname='ipaCert',
|
||||||
|
pin=None,
|
||||||
|
pinfile='/etc/httpd/alias/pwdfile.txt',
|
||||||
|
secdir='/etc/httpd/alias',
|
||||||
|
pre_command=None,
|
||||||
|
post_command='restart_httpd',
|
||||||
|
profile='ipaRetrieval')
|
||||||
except (ipautil.CalledProcessError, RuntimeError), e:
|
except (ipautil.CalledProcessError, RuntimeError), e:
|
||||||
root_logger.error(
|
root_logger.error(
|
||||||
"certmonger failed to start tracking certificate: %s" % str(e))
|
"certmonger failed to start tracking certificate: %s" % str(e))
|
||||||
@ -1356,7 +1364,7 @@ class CAInstance(service.Service):
|
|||||||
obj = bus.get_object('org.fedorahosted.certmonger',
|
obj = bus.get_object('org.fedorahosted.certmonger',
|
||||||
'/org/fedorahosted/certmonger')
|
'/org/fedorahosted/certmonger')
|
||||||
iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
|
iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
|
||||||
path = iface.find_ca_by_nickname('dogtag-ipa-retrieve-agent-submit')
|
path = iface.find_ca_by_nickname('dogtag-ipa-ca-renew-agent')
|
||||||
if path:
|
if path:
|
||||||
iface.remove_known_ca(path)
|
iface.remove_known_ca(path)
|
||||||
|
|
||||||
@ -1460,11 +1468,11 @@ class CAInstance(service.Service):
|
|||||||
obj = bus.get_object('org.fedorahosted.certmonger',
|
obj = bus.get_object('org.fedorahosted.certmonger',
|
||||||
'/org/fedorahosted/certmonger')
|
'/org/fedorahosted/certmonger')
|
||||||
iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
|
iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
|
||||||
path = iface.find_ca_by_nickname('dogtag-ipa-retrieve-agent-submit')
|
path = iface.find_ca_by_nickname('dogtag-ipa-ca-renew-agent')
|
||||||
if not path:
|
if not path:
|
||||||
iface.add_known_ca(
|
iface.add_known_ca(
|
||||||
'dogtag-ipa-retrieve-agent-submit',
|
'dogtag-ipa-ca-renew-agent',
|
||||||
'/usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit', [])
|
'/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit', [])
|
||||||
|
|
||||||
def configure_clone_renewal(self):
|
def configure_clone_renewal(self):
|
||||||
"""
|
"""
|
||||||
@ -1481,12 +1489,18 @@ class CAInstance(service.Service):
|
|||||||
'subsystemCert cert-pki-ca']:
|
'subsystemCert cert-pki-ca']:
|
||||||
try:
|
try:
|
||||||
certmonger.dogtag_start_tracking(
|
certmonger.dogtag_start_tracking(
|
||||||
'dogtag-ipa-retrieve-agent-submit', nickname, pin, None,
|
ca='dogtag-ipa-ca-renew-agent',
|
||||||
self.dogtag_constants.ALIAS_DIR, 'stop_pkicad',
|
nickname=nickname,
|
||||||
'restart_pkicad "%s"' % nickname)
|
pin=pin,
|
||||||
|
pinfile=None,
|
||||||
|
secdir=self.dogtag_constants.ALIAS_DIR,
|
||||||
|
pre_command='stop_pkicad',
|
||||||
|
post_command='restart_pkicad "%s"' % nickname,
|
||||||
|
profile='ipaRetrieval')
|
||||||
except (ipautil.CalledProcessError, RuntimeError), e:
|
except (ipautil.CalledProcessError, RuntimeError), e:
|
||||||
root_logger.error(
|
root_logger.error(
|
||||||
"certmonger failed to start tracking certificate: %s" % str(e))
|
"certmonger failed to start tracking certificate: "
|
||||||
|
"%s" % e)
|
||||||
|
|
||||||
# The agent renewal is configured in import_ra_cert which is called
|
# The agent renewal is configured in import_ra_cert which is called
|
||||||
# after the HTTP instance is created.
|
# after the HTTP instance is created.
|
||||||
|
Loading…
Reference in New Issue
Block a user