From c6f2d0212bf9aa2ed816779540d69233fe7110a5 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 30 Jan 2024 17:17:21 -0500 Subject: [PATCH] dogtag-ipa-ca-renew-agent-submit: expect certs to be on HSMs On a non-HSM, non-renewal-server replica we look in LDAP for an updated certificate. If the certificates don't match then we have a new one and write it out. If they match the assumption is that it hasn't been renewed yet so go into CA_WORKING. The problem is that for networked HSMs the cert will already be visible in the database so certmonger will always be in CA_WORKING. In this case we can assume that if the certs are the same then that's just fine. Related: https://pagure.io/freeipa/issue/9273 Signed-off-by: Rob Crittenden Reviewed-By: Florence Blanc-Renaud --- .../dogtag-ipa-ca-renew-agent-submit.in | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in index 00a6b65e4..7979ad86d 100644 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in @@ -42,7 +42,7 @@ import six from ipalib.install.kinit import kinit_keytab from ipapython import ipautil from ipapython.dn import DN -from ipalib import api, errors, x509 +from ipalib import api, errors, x509, sysrestore from ipaplatform.paths import paths from ipaserver.plugins.ldap2 import ldap2 from ipaserver.install import ca, cainstance, dsinstance, certs @@ -383,7 +383,20 @@ def retrieve_cert_continuous(reuse_existing, **kwargs): return result new_cert = x509.load_pem_x509_certificate(result[1].encode('ascii')) + nickname = get_nickname() if new_cert == old_cert: + sstore = sysrestore.StateFile(paths.SYSRESTORE) + if ( + sstore.get_state('pki_hsm', 'enabled') + and sstore.get_state('pki_hsm', 'token_name') + and nickname != 'ipaCert' + ): + # HSMs must be networked so the cert is already present + # exception of the RA Agent certificate. + return ( + ISSUED, + new_cert.public_bytes(x509.Encoding.PEM).decode("ascii"), + ) syslog.syslog(syslog.LOG_INFO, "Updated certificate not available") # No cert available yet, tell certmonger to wait another 8 hours return (WAIT_WITH_DELAY, 8 * 60 * 60, '')