[Freeipa-devel] [freeipa PR#2633][opened] [Backport][ipa-4-7] certupdate: add commentary about certmonger behaviour

[flo-renaud via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/2633
Author: flo-renaud
 Title: #2633: [Backport][ipa-4-7] certupdate: add commentary about certmonger 
behaviour
Action: opened

PR body:
"""
This PR was opened automatically because PR #2622 was pushed to master and 
backport to ipa-4-7 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2633/head:pr2633
git checkout pr2633

From 12859dbc11017399f90079522d417eb78fd3c078 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Fri, 30 Nov 2018 21:53:21 +1100
Subject: [PATCH] certupdate: add commentary about certmonger behaviour

It is not obvious why we "renew" (reuse only) the IPA CA certificate
in ipa-certupdate.  Add some commentary to explain this behaviour.

Related: https://pagure.io/freeipa/issue/7751
See also: https://github.com/freeipa/freeipa/pull/2576#issuecomment-442220840
---
 ipaclient/install/ipa_certupdate.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/ipaclient/install/ipa_certupdate.py b/ipaclient/install/ipa_certupdate.py
index ea3765fcf6..7a5d3f96a2 100644
--- a/ipaclient/install/ipa_certupdate.py
+++ b/ipaclient/install/ipa_certupdate.py
@@ -164,6 +164,17 @@ def update_server(certs):
     if request_id is not None:
         timeout = api.env.startup_timeout + 60
 
+        # The dogtag-ipa-ca-renew-agent-reuse Certmonger CA never
+        # actually renews the certificate; it only pulls it from the
+        # ca_renewal LDAP cert store.
+        #
+        # Why is this needed?  If the CA cert gets renewed long
+        # before its notAfter (expiry) date (e.g. to switch from
+        # self-signed to external, or to switch to new external CA),
+        # then the other (i.e. not caRenewalMaster) CA replicas will
+        # not promptly pick up the new CA cert.  So we make
+        # ipa-certupdate always check for an updated CA cert.
+        #
         logger.debug("resubmitting certmonger request '%s'", request_id)
         certmonger.resubmit_request(
             request_id, ca='dogtag-ipa-ca-renew-agent-reuse', profile='')

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org