dogtag-ipa-ca-renew-agent-submit: expect certs to be on HSMs

On a non-HSM, non-renewal-server replica we look in LDAP for
an updated certificate. If the certificates don't match then we
have a new one and write it out. If they match the assumption is
that it hasn't been renewed yet so go into CA_WORKING.

The problem is that for networked HSMs the cert will already be
visible in the database so certmonger will always be in CA_WORKING.
In this case we can assume that if the certs are the same then
that's just fine.

Related: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
Rob Crittenden 2024-01-30 17:17:21 -05:00
parent b63103c88a
commit c6f2d0212b

View File

@ -42,7 +42,7 @@ import six
from ipalib.install.kinit import kinit_keytab
from ipapython import ipautil
from ipapython.dn import DN
from ipalib import api, errors, x509
from ipalib import api, errors, x509, sysrestore
from ipaplatform.paths import paths
from ipaserver.plugins.ldap2 import ldap2
from ipaserver.install import ca, cainstance, dsinstance, certs
@ -383,7 +383,20 @@ def retrieve_cert_continuous(reuse_existing, **kwargs):
return result
new_cert = x509.load_pem_x509_certificate(result[1].encode('ascii'))
nickname = get_nickname()
if new_cert == old_cert:
sstore = sysrestore.StateFile(paths.SYSRESTORE)
if (
sstore.get_state('pki_hsm', 'enabled')
and sstore.get_state('pki_hsm', 'token_name')
and nickname != 'ipaCert'
):
# HSMs must be networked so the cert is already present
# exception of the RA Agent certificate.
return (
ISSUED,
new_cert.public_bytes(x509.Encoding.PEM).decode("ascii"),
)
syslog.syslog(syslog.LOG_INFO, "Updated certificate not available")
# No cert available yet, tell certmonger to wait another 8 hours
return (WAIT_WITH_DELAY, 8 * 60 * 60, '')