Set renewal time for the CA audit certificate to 720 days.

The initial certificate is issued for two years but renewals are
for six months for some reason. This fixes it for new and updated
IPA installs.

https://fedorahosted.org/freeipa/ticket/2951

2 files changed, 47 insertions, 7 deletions

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index cb2164c0c..4ed718a9b 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -211,14 +211,15 @@ def upgrade_pki(fstore):
 
     This requires enabling SSL renegotiation.
     """
+    configured_constants = dogtag.configured_constants()
     root_logger.info('[Verifying that CA proxy configuration is correct]')
-    if not os.path.exists('/etc/pki-ca/CS.cfg'):
+    if not os.path.exists(configured_constants.CS_CFG_PATH):
         root_logger.debug('No CA detected in /etc/pki-ca')
         return
 
     http = httpinstance.HTTPInstance(fstore)
     http.enable_mod_nss_renegotiate()
-    if not installutils.get_directive('/etc/pki-ca/CS.cfg',
+    if not installutils.get_directive(configured_constants.CS_CFG_PATH,
                                       'proxy.securePort', '=') and \
             os.path.exists('/usr/bin/pki-setup-proxy'):
         ipautil.run(['/usr/bin/pki-setup-proxy', '-pki_instance_root=/var/lib'
@@ -285,17 +286,24 @@ def cleanup_kdc(fstore):
 def upgrade_ipa_profile(ca):
     """
     Update the IPA Profile provided by dogtag
+
+    Returns True if restart is needed, False otherwise.
     """
     root_logger.info('[Verifying that CA service certificate profile is updated]')
     if ca.is_configured():
-        if ca.enable_subject_key_identifier():
-            root_logger.debug('Subject Key Identifier updated, restarting CA')
-            ca.restart()
+        ski = ca.enable_subject_key_identifier()
+        if ski:
+            root_logger.debug('Subject Key Identifier updated.')
         else:
             root_logger.debug('Subject Key Identifier already set.')
+        audit = ca.set_audit_renewal()
+        if audit or ski:
+            return True
     else:
         root_logger.debug('CA is not configured')
 
+    return False
+
 def upgrade_httpd_selinux(fstore):
     """
     Update SElinux configuration for httpd instance in the same way as the
@@ -609,14 +617,13 @@ def main():
         pass
 
     cleanup_kdc(fstore)
-    upgrade_ipa_profile(ca)
     changed_psearch = named_enable_psearch()
     changed_autoincrement = named_enable_serial_autoincrement()
     if changed_psearch or changed_autoincrement:
         # configuration has changed, restart the name server
         root_logger.info('Changes to named.conf have been made, restart named')
         bindinstance.BindInstance(fstore).restart()
-    ca_restart = ca_restart or enable_certificate_renewal(ca)
+    ca_restart = ca_restart or enable_certificate_renewal(ca) or upgrade_ipa_profile(ca)
 
     if ca_restart:
         root_logger.info('pki-ca configuration changed, restart pki-ca')
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index c37c261f2..a64fe6f03 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -562,6 +562,7 @@ class CAInstance(service.Service):
             self.step("set up CRL publishing", self.__enable_crl_publish)
             self.step("set certificate subject base", self.__set_subject_in_config)
             self.step("enabling Subject Key Identifier", self.enable_subject_key_identifier)
+            self.step("setting audit signing renewal to 2 years", self.set_audit_renewal)
             self.step("configuring certificate server to start on boot", self.__enable)
             if not self.clone:
                 self.step("restarting certificate server", self.__restart_instance)
@@ -1420,6 +1421,38 @@ class CAInstance(service.Service):
         # No update was done
         return False
 
+    def set_audit_renewal(self):
+        """
+        The default renewal time for the audit signing certificate is
+        six months rather than two years. Fix it. This is BZ 843979.
+        """
+        # Check the default validity period of the audit signing cert
+        # and set it to 2 years if it is 6 months.
+        range = installutils.get_directive(
+            '%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR,
+            'policyset.caLogSigningSet.2.default.params.range',
+            separator='='
+        )
+        root_logger.debug('caSignedLogCert.cfg profile validity range is %s' % range)
+        if range == "180":
+            installutils.set_directive(
+                '%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR,
+                'policyset.caLogSigningSet.2.default.params.range',
+                '720',
+                quotes=False,
+                separator='='
+            )
+            installutils.set_directive(
+                '%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR,
+                'policyset.caLogSigningSet.2.constraint.params.range',
+                '720',
+                quotes=False,
+                separator='='
+            )
+            root_logger.debug('updated caSignedLogCert.cfg profile validity range to 720')
+            return True
+        return False
+
     def is_master(self):
         """
         There are some tasks that are only done on a single dogtag master.