upgrade: add profile to Dogtag tracking requests

To use profile-based renewal (rather than "renewal existing cert" renewal which is brittle against database corruption or deleted certificate / request objects), Certmonger tracking requests for Dogtag system certs must record the profile to be used. Update the upgrade method that checks tracking requests to look for the profile. Tracking requests will be recreated if the expected data are not found. The code that actually adds the tracking requests was updated in a previous commit. Part of: https://pagure.io/freeipa/issue/7991 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-05-17 16:30:47 +10:00
parent 3c388f5a22
commit f6f6f83dca
3 changed files with 24 additions and 39 deletions
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -267,6 +267,9 @@ class CAInstance(DogtagInstance):
       2 = have signed cert, continue installation
    """

+    # Mapping of nicknames for tracking requests, and the profile to
+    # use for that certificate.  'configure_renewal()' reads this
+    # dict.  The profile MUST be specified.
    tracking_reqs = {
        'auditSigningCert cert-pki-ca': 'caSignedLogCert',
        'ocspSigningCert cert-pki-ca': 'caOCSPCert',
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -60,6 +60,9 @@ class KRAInstance(DogtagInstance):
    be the same for both the CA and KRA.
    """

+    # Mapping of nicknames for tracking requests, and the profile to
+    # use for that certificate.  'configure_renewal()' reads this
+    # dict.  The profile MUST be specified.
    tracking_reqs = {
        'auditSigningCert cert-pki-kra': 'caInternalAuthAuditSigningCert',
        'transportCert cert-pki-kra': 'caInternalAuthTransportCert',
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -972,48 +972,27 @@ def certificate_renewal_update(ca, ds, http):
    template = paths.CERTMONGER_COMMAND_TEMPLATE
    serverid = ipaldap.realm_to_serverid(api.env.realm)

-    requests = [
-        {
+    requests = []
+
+    dogtag_system_nicks = (
+        list(cainstance.CAInstance.tracking_reqs) +
+        [cainstance.CAInstance.server_cert_name]
+    )
+    for nick in dogtag_system_nicks:
+        req = {
            'cert-database': paths.PKI_TOMCAT_ALIAS_DIR,
-            'cert-nickname': 'auditSigningCert cert-pki-ca',
+            'cert-nickname': nick,
            'ca-name': 'dogtag-ipa-ca-renew-agent',
            'cert-presave-command': template % 'stop_pkicad',
            'cert-postsave-command':
-                (template % 'renew_ca_cert "auditSigningCert cert-pki-ca"'),
-        },
-        {
-            'cert-database': paths.PKI_TOMCAT_ALIAS_DIR,
-            'cert-nickname': 'ocspSigningCert cert-pki-ca',
-            'ca-name': 'dogtag-ipa-ca-renew-agent',
-            'cert-presave-command': template % 'stop_pkicad',
-            'cert-postsave-command':
-                (template % 'renew_ca_cert "ocspSigningCert cert-pki-ca"'),
-        },
-        {
-            'cert-database': paths.PKI_TOMCAT_ALIAS_DIR,
-            'cert-nickname': 'subsystemCert cert-pki-ca',
-            'ca-name': 'dogtag-ipa-ca-renew-agent',
-            'cert-presave-command': template % 'stop_pkicad',
-            'cert-postsave-command':
-                (template % 'renew_ca_cert "subsystemCert cert-pki-ca"'),
-        },
-        {
-            'cert-database': paths.PKI_TOMCAT_ALIAS_DIR,
-            'cert-nickname': 'caSigningCert cert-pki-ca',
-            'ca-name': 'dogtag-ipa-ca-renew-agent',
-            'cert-presave-command': template % 'stop_pkicad',
-            'cert-postsave-command':
-                (template % 'renew_ca_cert "caSigningCert cert-pki-ca"'),
-            'template-profile': None,
-        },
-        {
-            'cert-database': paths.PKI_TOMCAT_ALIAS_DIR,
-            'cert-nickname': 'Server-Cert cert-pki-ca',
-            'ca-name': 'dogtag-ipa-ca-renew-agent',
-            'cert-presave-command': template % 'stop_pkicad',
-            'cert-postsave-command':
-                (template % 'renew_ca_cert "Server-Cert cert-pki-ca"'),
-        },
+                (template % 'renew_ca_cert "{}"'.format(nick)),
+        }
+        profile = cainstance.CAInstance.tracking_reqs.get(nick)
+        if profile:
+            req['template-profile'] = profile
+        requests.append(req)
+
+    requests.append(
        {
            'cert-file': paths.RA_AGENT_PEM,
            'key-file': paths.RA_AGENT_KEY,
@@ -1021,7 +1000,7 @@ def certificate_renewal_update(ca, ds, http):
            'cert-presave-command': template % 'renew_ra_cert_pre',
            'cert-postsave-command': template % 'renew_ra_cert',
        },
-    ]
+    )

    logger.info("[Update certmonger certificate renewal configuration]")
    if not ca.is_configured():