[Freeipa-devel] [freeipa PR#728][synchronized] ipa-cacert-manage: add --external-ca-type

2017-05-08 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/728
Author: HonzaCholasta
 Title: #728: ipa-cacert-manage: add --external-ca-type
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/728/head:pr728
git checkout pr728
From c0c79f0b0fdaf0b5a1bfe0d92018f3bf12373907 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Mon, 24 Apr 2017 05:24:24 +
Subject: [PATCH 1/7] renew agent: respect CA renewal master setting

Do not bypass the renewal master check when a non-virtual profile is used
in dogtag-ipa-ca-renew-agent-submit.

This fixes dogtag-ipa-ca-renew-agent not respecting the CA renewal master
setting for certificates tracked with a real profile. (Note that there
currently aren't any such certificates tracked by us.)

Request the RA certificate using dogtag-submit rather than
dogtag-ipa-ca-renew-agent-submit as the CA renewal master setting is not
available so early in the install process.

https://pagure.io/freeipa/issue/5799
---
 install/certmonger/dogtag-ipa-ca-renew-agent-submit | 2 +-
 ipaserver/install/cainstance.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index 7a3d955..f253fd9 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -535,7 +535,7 @@ def main():
 
 profile = os.environ.get('CERTMONGER_CA_PROFILE')
 if is_replicated():
-if profile or is_renewal_master():
+if is_renewal_master():
 handler = request_and_store_cert
 else:
 handler = retrieve_cert_continuous
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index d72feb8..97baa60 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -822,7 +822,7 @@ def __request_ra_certificate(self):
  "-out", chain_file.name,
  ], stdin=data, capture_output=False)
 
-agent_args = [paths.DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT,
+agent_args = [paths.CERTMONGER_DOGTAG_SUBMIT,
   "--dbdir", self.tmp_agent_db,
   "--nickname", "ipa-ca-agent",
   "--cafile", chain_file.name,

From 9e9bcaa70bc8e7b307ecd99e247311796b9fd32d Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Tue, 28 Feb 2017 10:55:54 +
Subject: [PATCH 2/7] server upgrade: always fix certmonger tracking request

Fix certmonger tracking requests on every run of ipa-server-upgrade rather
than only when the tracking configuration has changed and the requests have
not yet been updated.

This allows fixing broken tracking requests just by re-running
ipa-server-upgrade.

https://pagure.io/freeipa/issue/5799
---
 ipaserver/install/server/upgrade.py | 28 +++-
 1 file changed, 7 insertions(+), 21 deletions(-)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 9aec2d8..84692d3 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -905,8 +905,6 @@ def certificate_renewal_update(ca, ds, http):
 template = paths.CERTMONGER_COMMAND_TEMPLATE
 serverid = installutils.realm_to_serverid(api.env.realm)
 
-# bump version when requests is changed
-version = 6
 requests = [
 {
 'cert-database': paths.PKI_TOMCAT_ALIAS_DIR,
@@ -971,25 +969,17 @@ def certificate_renewal_update(ca, ds, http):
 }
 ]
 
-root_logger.info("[Update certmonger certificate renewal configuration to "
- "version %d]" % version)
+root_logger.info("[Update certmonger certificate renewal configuration]")
 if not ca.is_configured():
 root_logger.info('CA is not configured')
 return False
 
-state = 'certificate_renewal_update_%d' % version
-if sysupgrade.get_upgrade_state('dogtag', state):
-return False
-
 # State not set, lets see if we are already configured
 for request in requests:
 request_id = certmonger.get_request_id(request)
 if request_id is None:
 break
 else:
-sysupgrade.set_upgrade_state('dogtag', state, True)
-root_logger.info("Certmonger certificate renewal configuration is "
- "already at version %d" % version)
 return False
 
 # Ok, now we need to stop tracking, then we can start tracking them
@@ -998,13 +988,11 @@ def certificate_renewal_update(ca, ds, http):
 ds.stop_tracking_certificates(serverid)
 http.stop_tracking_certificates()
 
-if not sysupgrade.get_upgrade_state('dogtag',
-'certificate_renewal_update_1'):
-filename = paths.CERTMONGER_CAS_CA_RENEWAL
-if os.path.exists(filename):
-with installutils

[Freeipa-devel] [freeipa PR#728][synchronized] ipa-cacert-manage: add --external-ca-type

2017-05-03 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/728
Author: HonzaCholasta
 Title: #728: ipa-cacert-manage: add --external-ca-type
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/728/head:pr728
git checkout pr728
From 4f1ef08489013d68304b0cee289290fdcde37422 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Mon, 24 Apr 2017 05:24:24 +
Subject: [PATCH 1/7] renew agent: respect CA renewal master setting

Do not bypass the renewal master check when a non-virtual profile is used
in dogtag-ipa-ca-renew-agent-submit.

This fixes dogtag-ipa-ca-renew-agent not respecting the CA renewal master
setting for certificates tracked with a real profile. (Note that there
currently aren't any such certificates tracked by us.)

Request the RA certificate using dogtag-submit rather than
dogtag-ipa-ca-renew-agent-submit as the CA renewal master setting is not
available so early in the install process.

https://pagure.io/freeipa/issue/5799
---
 install/certmonger/dogtag-ipa-ca-renew-agent-submit | 2 +-
 ipaserver/install/cainstance.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index 7a3d955..f253fd9 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -535,7 +535,7 @@ def main():
 
 profile = os.environ.get('CERTMONGER_CA_PROFILE')
 if is_replicated():
-if profile or is_renewal_master():
+if is_renewal_master():
 handler = request_and_store_cert
 else:
 handler = retrieve_cert_continuous
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index d72feb8..97baa60 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -822,7 +822,7 @@ def __request_ra_certificate(self):
  "-out", chain_file.name,
  ], stdin=data, capture_output=False)
 
-agent_args = [paths.DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT,
+agent_args = [paths.CERTMONGER_DOGTAG_SUBMIT,
   "--dbdir", self.tmp_agent_db,
   "--nickname", "ipa-ca-agent",
   "--cafile", chain_file.name,

From 73671930abf599a74908d3ce1414d9dc6df3b059 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Tue, 28 Feb 2017 10:55:54 +
Subject: [PATCH 2/7] server upgrade: always fix certmonger tracking request

Fix certmonger tracking requests on every run of ipa-server-upgrade rather
than only when the tracking configuration has changed and the requests have
not yet been updated.

This allows fixing broken tracking requests just by re-running
ipa-server-upgrade.

https://pagure.io/freeipa/issue/5799
---
 ipaserver/install/server/upgrade.py | 28 +++-
 1 file changed, 7 insertions(+), 21 deletions(-)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 0f27428..8746f00 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -905,8 +905,6 @@ def certificate_renewal_update(ca, ds, http):
 template = paths.CERTMONGER_COMMAND_TEMPLATE
 serverid = installutils.realm_to_serverid(api.env.realm)
 
-# bump version when requests is changed
-version = 6
 requests = [
 {
 'cert-database': paths.PKI_TOMCAT_ALIAS_DIR,
@@ -971,25 +969,17 @@ def certificate_renewal_update(ca, ds, http):
 }
 ]
 
-root_logger.info("[Update certmonger certificate renewal configuration to "
- "version %d]" % version)
+root_logger.info("[Update certmonger certificate renewal configuration]")
 if not ca.is_configured():
 root_logger.info('CA is not configured')
 return False
 
-state = 'certificate_renewal_update_%d' % version
-if sysupgrade.get_upgrade_state('dogtag', state):
-return False
-
 # State not set, lets see if we are already configured
 for request in requests:
 request_id = certmonger.get_request_id(request)
 if request_id is None:
 break
 else:
-sysupgrade.set_upgrade_state('dogtag', state, True)
-root_logger.info("Certmonger certificate renewal configuration is "
- "already at version %d" % version)
 return False
 
 # Ok, now we need to stop tracking, then we can start tracking them
@@ -998,13 +988,11 @@ def certificate_renewal_update(ca, ds, http):
 ds.stop_tracking_certificates(serverid)
 http.stop_tracking_certificates()
 
-if not sysupgrade.get_upgrade_state('dogtag',
-'certificate_renewal_update_1'):
-filename = paths.CERTMONGER_CAS_CA_RENEWAL
-if os.path.exists(filename):
-with installutils