[Freeipa-devel] [freeipa PR#728][synchronized] ipa-cacert-manage: add --external-ca-type
URL: https://github.com/freeipa/freeipa/pull/728 Author: HonzaCholasta Title: #728: ipa-cacert-manage: add --external-ca-type Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/728/head:pr728 git checkout pr728 From c0c79f0b0fdaf0b5a1bfe0d92018f3bf12373907 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Mon, 24 Apr 2017 05:24:24 + Subject: [PATCH 1/7] renew agent: respect CA renewal master setting Do not bypass the renewal master check when a non-virtual profile is used in dogtag-ipa-ca-renew-agent-submit. This fixes dogtag-ipa-ca-renew-agent not respecting the CA renewal master setting for certificates tracked with a real profile. (Note that there currently aren't any such certificates tracked by us.) Request the RA certificate using dogtag-submit rather than dogtag-ipa-ca-renew-agent-submit as the CA renewal master setting is not available so early in the install process. https://pagure.io/freeipa/issue/5799 --- install/certmonger/dogtag-ipa-ca-renew-agent-submit | 2 +- ipaserver/install/cainstance.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 7a3d955..f253fd9 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -535,7 +535,7 @@ def main(): profile = os.environ.get('CERTMONGER_CA_PROFILE') if is_replicated(): -if profile or is_renewal_master(): +if is_renewal_master(): handler = request_and_store_cert else: handler = retrieve_cert_continuous diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index d72feb8..97baa60 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -822,7 +822,7 @@ def __request_ra_certificate(self): "-out", chain_file.name, ], stdin=data, capture_output=False) -agent_args = [paths.DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT, +agent_args = [paths.CERTMONGER_DOGTAG_SUBMIT, "--dbdir", self.tmp_agent_db, "--nickname", "ipa-ca-agent", "--cafile", chain_file.name, From 9e9bcaa70bc8e7b307ecd99e247311796b9fd32d Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 28 Feb 2017 10:55:54 + Subject: [PATCH 2/7] server upgrade: always fix certmonger tracking request Fix certmonger tracking requests on every run of ipa-server-upgrade rather than only when the tracking configuration has changed and the requests have not yet been updated. This allows fixing broken tracking requests just by re-running ipa-server-upgrade. https://pagure.io/freeipa/issue/5799 --- ipaserver/install/server/upgrade.py | 28 +++- 1 file changed, 7 insertions(+), 21 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 9aec2d8..84692d3 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -905,8 +905,6 @@ def certificate_renewal_update(ca, ds, http): template = paths.CERTMONGER_COMMAND_TEMPLATE serverid = installutils.realm_to_serverid(api.env.realm) -# bump version when requests is changed -version = 6 requests = [ { 'cert-database': paths.PKI_TOMCAT_ALIAS_DIR, @@ -971,25 +969,17 @@ def certificate_renewal_update(ca, ds, http): } ] -root_logger.info("[Update certmonger certificate renewal configuration to " - "version %d]" % version) +root_logger.info("[Update certmonger certificate renewal configuration]") if not ca.is_configured(): root_logger.info('CA is not configured') return False -state = 'certificate_renewal_update_%d' % version -if sysupgrade.get_upgrade_state('dogtag', state): -return False - # State not set, lets see if we are already configured for request in requests: request_id = certmonger.get_request_id(request) if request_id is None: break else: -sysupgrade.set_upgrade_state('dogtag', state, True) -root_logger.info("Certmonger certificate renewal configuration is " - "already at version %d" % version) return False # Ok, now we need to stop tracking, then we can start tracking them @@ -998,13 +988,11 @@ def certificate_renewal_update(ca, ds, http): ds.stop_tracking_certificates(serverid) http.stop_tracking_certificates() -if not sysupgrade.get_upgrade_state('dogtag', -'certificate_renewal_update_1'): -filename = paths.CERTMONGER_CAS_CA_RENEWAL -if os.path.exists(filename): -with installutils
[Freeipa-devel] [freeipa PR#728][synchronized] ipa-cacert-manage: add --external-ca-type
URL: https://github.com/freeipa/freeipa/pull/728 Author: HonzaCholasta Title: #728: ipa-cacert-manage: add --external-ca-type Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/728/head:pr728 git checkout pr728 From 4f1ef08489013d68304b0cee289290fdcde37422 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Mon, 24 Apr 2017 05:24:24 + Subject: [PATCH 1/7] renew agent: respect CA renewal master setting Do not bypass the renewal master check when a non-virtual profile is used in dogtag-ipa-ca-renew-agent-submit. This fixes dogtag-ipa-ca-renew-agent not respecting the CA renewal master setting for certificates tracked with a real profile. (Note that there currently aren't any such certificates tracked by us.) Request the RA certificate using dogtag-submit rather than dogtag-ipa-ca-renew-agent-submit as the CA renewal master setting is not available so early in the install process. https://pagure.io/freeipa/issue/5799 --- install/certmonger/dogtag-ipa-ca-renew-agent-submit | 2 +- ipaserver/install/cainstance.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 7a3d955..f253fd9 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -535,7 +535,7 @@ def main(): profile = os.environ.get('CERTMONGER_CA_PROFILE') if is_replicated(): -if profile or is_renewal_master(): +if is_renewal_master(): handler = request_and_store_cert else: handler = retrieve_cert_continuous diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index d72feb8..97baa60 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -822,7 +822,7 @@ def __request_ra_certificate(self): "-out", chain_file.name, ], stdin=data, capture_output=False) -agent_args = [paths.DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT, +agent_args = [paths.CERTMONGER_DOGTAG_SUBMIT, "--dbdir", self.tmp_agent_db, "--nickname", "ipa-ca-agent", "--cafile", chain_file.name, From 73671930abf599a74908d3ce1414d9dc6df3b059 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 28 Feb 2017 10:55:54 + Subject: [PATCH 2/7] server upgrade: always fix certmonger tracking request Fix certmonger tracking requests on every run of ipa-server-upgrade rather than only when the tracking configuration has changed and the requests have not yet been updated. This allows fixing broken tracking requests just by re-running ipa-server-upgrade. https://pagure.io/freeipa/issue/5799 --- ipaserver/install/server/upgrade.py | 28 +++- 1 file changed, 7 insertions(+), 21 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 0f27428..8746f00 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -905,8 +905,6 @@ def certificate_renewal_update(ca, ds, http): template = paths.CERTMONGER_COMMAND_TEMPLATE serverid = installutils.realm_to_serverid(api.env.realm) -# bump version when requests is changed -version = 6 requests = [ { 'cert-database': paths.PKI_TOMCAT_ALIAS_DIR, @@ -971,25 +969,17 @@ def certificate_renewal_update(ca, ds, http): } ] -root_logger.info("[Update certmonger certificate renewal configuration to " - "version %d]" % version) +root_logger.info("[Update certmonger certificate renewal configuration]") if not ca.is_configured(): root_logger.info('CA is not configured') return False -state = 'certificate_renewal_update_%d' % version -if sysupgrade.get_upgrade_state('dogtag', state): -return False - # State not set, lets see if we are already configured for request in requests: request_id = certmonger.get_request_id(request) if request_id is None: break else: -sysupgrade.set_upgrade_state('dogtag', state, True) -root_logger.info("Certmonger certificate renewal configuration is " - "already at version %d" % version) return False # Ok, now we need to stop tracking, then we can start tracking them @@ -998,13 +988,11 @@ def certificate_renewal_update(ca, ds, http): ds.stop_tracking_certificates(serverid) http.stop_tracking_certificates() -if not sysupgrade.get_upgrade_state('dogtag', -'certificate_renewal_update_1'): -filename = paths.CERTMONGER_CAS_CA_RENEWAL -if os.path.exists(filename): -with installutils