URL: https://github.com/freeipa/freeipa/pull/1079 Author: flo-renaud Title: #1079: ipa-server-upgrade: fix the logic for tracking certs Action: opened
PR body: """ ipa-server-upgrade needs to configure certmonger with the right options in order to track PKI, HTTP and LDAP certs (for instance the RA agent cert location has changed from older releases). The upgrade code looks for existing tracking requests with the expected options by using criteria (location of the NSSDB, nickname, CA helper...) If a tracking request is not found, it means that it is either using wrong options or not configured. In this case, the upgrade stop tracking all the certs, reconfigures the helpers, starts tracking the certs so that the config is up-to-date. The issue is that the criteria is using the keyword 'ca' instead of 'ca-name' and this leads to upgrade believing that the config needs to be updated in all the cases. https://pagure.io/freeipa/issue/7151 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1079/head:pr1079 git checkout pr1079
From a5e19c68c946f4fb85216687331c16d2b79299d6 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Thu, 14 Sep 2017 09:46:34 +0200 Subject: [PATCH] ipa-server-upgrade: fix the logic for tracking certs ipa-server-upgrade needs to configure certmonger with the right options in order to track PKI, HTTP and LDAP certs (for instance the RA agent cert location has changed from older releases). The upgrade code looks for existing tracking requests with the expected options by using criteria (location of the NSSDB, nickname, CA helper...) If a tracking request is not found, it means that it is either using wrong options or not configured. In this case, the upgrade stop tracking all the certs, reconfigures the helpers, starts tracking the certs so that the config is up-to-date. The issue is that the criteria is using the keyword 'ca' instead of 'ca-name' and this leads to upgrade believing that the config needs to be updated in all the cases. https://pagure.io/freeipa/issue/7151 --- ipaserver/install/server/upgrade.py | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 0bc1de37bb..fa6a550525 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -925,7 +925,7 @@ def certificate_renewal_update(ca, ds, http): { 'cert-database': paths.PKI_TOMCAT_ALIAS_DIR, 'cert-nickname': 'auditSigningCert cert-pki-ca', - 'ca': 'dogtag-ipa-ca-renew-agent', + 'ca-name': 'dogtag-ipa-ca-renew-agent', 'cert-presave-command': template % 'stop_pkicad', 'cert-postsave-command': (template % 'renew_ca_cert "auditSigningCert cert-pki-ca"'), @@ -933,7 +933,7 @@ def certificate_renewal_update(ca, ds, http): { 'cert-database': paths.PKI_TOMCAT_ALIAS_DIR, 'cert-nickname': 'ocspSigningCert cert-pki-ca', - 'ca': 'dogtag-ipa-ca-renew-agent', + 'ca-name': 'dogtag-ipa-ca-renew-agent', 'cert-presave-command': template % 'stop_pkicad', 'cert-postsave-command': (template % 'renew_ca_cert "ocspSigningCert cert-pki-ca"'), @@ -941,7 +941,7 @@ def certificate_renewal_update(ca, ds, http): { 'cert-database': paths.PKI_TOMCAT_ALIAS_DIR, 'cert-nickname': 'subsystemCert cert-pki-ca', - 'ca': 'dogtag-ipa-ca-renew-agent', + 'ca-name': 'dogtag-ipa-ca-renew-agent', 'cert-presave-command': template % 'stop_pkicad', 'cert-postsave-command': (template % 'renew_ca_cert "subsystemCert cert-pki-ca"'), @@ -949,16 +949,16 @@ def certificate_renewal_update(ca, ds, http): { 'cert-database': paths.PKI_TOMCAT_ALIAS_DIR, 'cert-nickname': 'caSigningCert cert-pki-ca', - 'ca': 'dogtag-ipa-ca-renew-agent', + 'ca-name': 'dogtag-ipa-ca-renew-agent', 'cert-presave-command': template % 'stop_pkicad', 'cert-postsave-command': (template % 'renew_ca_cert "caSigningCert cert-pki-ca"'), - 'template-profile': '', + 'template-profile': None, }, { 'cert-database': paths.PKI_TOMCAT_ALIAS_DIR, 'cert-nickname': 'Server-Cert cert-pki-ca', - 'ca': 'dogtag-ipa-ca-renew-agent', + 'ca-name': 'dogtag-ipa-ca-renew-agent', 'cert-presave-command': template % 'stop_pkicad', 'cert-postsave-command': (template % 'renew_ca_cert "Server-Cert cert-pki-ca"'), @@ -966,20 +966,20 @@ def certificate_renewal_update(ca, ds, http): { 'cert-file': paths.RA_AGENT_PEM, 'key-file': paths.RA_AGENT_KEY, - 'ca': 'dogtag-ipa-ca-renew-agent', + 'ca-name': 'dogtag-ipa-ca-renew-agent', 'cert-presave-command': template % 'renew_ra_cert_pre', 'cert-postsave-command': template % 'renew_ra_cert', }, { 'cert-database': paths.HTTPD_ALIAS_DIR, 'cert-nickname': 'Server-Cert', - 'ca': 'IPA', + 'ca-name': 'IPA', 'cert-postsave-command': template % 'restart_httpd', }, { - 'cert-database': dsinstance.config_dirname(serverid), + 'cert-database': dsinstance.config_dirname(serverid)[:-1], 'cert-nickname': 'Server-Cert', - 'ca': 'IPA', + 'ca-name': 'IPA', 'cert-postsave-command': '%s %s' % (template % 'restart_dirsrv', serverid), } @@ -997,7 +997,7 @@ def certificate_renewal_update(ca, ds, http): { 'cert-database': paths.PKI_TOMCAT_ALIAS_DIR, 'cert-nickname': nickname, - 'ca': 'dogtag-ipa-ca-renew-agent', + 'ca-name': 'dogtag-ipa-ca-renew-agent', 'cert-presave-command': template % 'stop_pkicad', 'cert-postsave-command': (template % ('renew_ca_cert "%s"' % nickname)),
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org