URL: https://github.com/freeipa/freeipa/pull/2633 Author: flo-renaud Title: #2633: [Backport][ipa-4-7] certupdate: add commentary about certmonger behaviour Action: opened
PR body: """ This PR was opened automatically because PR #2622 was pushed to master and backport to ipa-4-7 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2633/head:pr2633 git checkout pr2633
From 12859dbc11017399f90079522d417eb78fd3c078 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Fri, 30 Nov 2018 21:53:21 +1100 Subject: [PATCH] certupdate: add commentary about certmonger behaviour It is not obvious why we "renew" (reuse only) the IPA CA certificate in ipa-certupdate. Add some commentary to explain this behaviour. Related: https://pagure.io/freeipa/issue/7751 See also: https://github.com/freeipa/freeipa/pull/2576#issuecomment-442220840 --- ipaclient/install/ipa_certupdate.py | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/ipaclient/install/ipa_certupdate.py b/ipaclient/install/ipa_certupdate.py index ea3765fcf6..7a5d3f96a2 100644 --- a/ipaclient/install/ipa_certupdate.py +++ b/ipaclient/install/ipa_certupdate.py @@ -164,6 +164,17 @@ def update_server(certs): if request_id is not None: timeout = api.env.startup_timeout + 60 + # The dogtag-ipa-ca-renew-agent-reuse Certmonger CA never + # actually renews the certificate; it only pulls it from the + # ca_renewal LDAP cert store. + # + # Why is this needed? If the CA cert gets renewed long + # before its notAfter (expiry) date (e.g. to switch from + # self-signed to external, or to switch to new external CA), + # then the other (i.e. not caRenewalMaster) CA replicas will + # not promptly pick up the new CA cert. So we make + # ipa-certupdate always check for an updated CA cert. + # logger.debug("resubmitting certmonger request '%s'", request_id) certmonger.resubmit_request( request_id, ca='dogtag-ipa-ca-renew-agent-reuse', profile='')
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org