Do not wait for new CA certificate to appear in LDAP in ipa-certupdate

If new certificate is not available, reuse the old one, instead of waiting indefinitely for the new certificate to appear. https://fedorahosted.org/freeipa/ticket/4628 Reviewed-By: David Kupka <dkupka@redhat.com>
author: Jan Cholasta <jcholast@redhat.com> 2014-10-14 11:12:55 +0200
committer: Petr Viktorin <pviktori@redhat.com> 2014-10-30 10:51:36 +0100
commit: 35947c6e103a18c3f81af4b6d3795218a93b3b57 (patch)
tree: 305bc1e38e0095d099dd5863f992c3f26b63e65e /install/certmonger
parent: a649a84a1bd7eb3c727fdcfc341b326a19b0ee5a (diff)
download: freeipa-35947c6e103a18c3f81af4b6d3795218a93b3b57.tar.gz
freeipa-35947c6e103a18c3f81af4b6d3795218a93b3b57.tar.xz
freeipa-35947c6e103a18c3f81af4b6d3795218a93b3b57.zip
1 files changed, 49 insertions, 38 deletions
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index ca4380c33..9a01eb3a0 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -279,25 +279,11 @@ def request_and_store_cert():
     else:
         return result
 
-def retrieve_cert():
+def retrieve_or_reuse_cert():
     """
-    Retrieve new certificate from LDAP.
+    Retrieve certificate from LDAP. If the certificate is not available, reuse
+    the old certificate.
     """
-    operation = os.environ.get('CERTMONGER_OPERATION')
-    if operation == 'SUBMIT':
-        attempts = 0
-    elif operation == 'POLL':
-        cookie = os.environ.get('CERTMONGER_CA_COOKIE')
-        if not cookie:
-            return (UNCONFIGURED, "Cookie not provided")
-
-        try:
-            attempts = int(cookie)
-        except ValueError:
-            return (UNCONFIGURED, "Invalid cookie: %r" % cookie)
-    else:
-        return (OPERATION_NOT_SUPPORTED_BY_HELPER,)
-
     csr = os.environ.get('CERTMONGER_CSR')
     if not csr:
         return (UNCONFIGURED, "Certificate request not provided")
@@ -306,12 +292,9 @@ def retrieve_cert():
     if not nickname:
         return (REJECTED, "No friendly name in the certificate request")
 
-    old_cert = os.environ.get('CERTMONGER_CERTIFICATE')
-    if not old_cert:
+    cert = os.environ.get('CERTMONGER_CERTIFICATE')
+    if not cert:
         return (REJECTED, "New certificate requests not supported")
-    old_cert = x509.normalize_certificate(old_cert)
-
-    syslog.syslog(syslog.LOG_NOTICE, "Updating certificate for %s" % nickname)
 
     with ldap_connect() as conn:
         try:
@@ -320,23 +303,50 @@ def retrieve_cert():
                    ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn),
                 ['usercertificate'])
         except errors.NotFound:
-            cert = old_cert
+            pass
         else:
             cert = entry.single_value['usercertificate']
+            cert = base64.b64encode(cert)
+            cert = x509.make_pem(cert)
+
+    return (ISSUED, cert)
+
+def retrieve_cert():
+    """
+    Retrieve new certificate from LDAP.
+    """
+    operation = os.environ.get('CERTMONGER_OPERATION')
+    if operation == 'SUBMIT':
+        attempts = 0
+    elif operation == 'POLL':
+        cookie = os.environ.get('CERTMONGER_CA_COOKIE')
+        if not cookie:
+            return (UNCONFIGURED, "Cookie not provided")
+
+        try:
+            attempts = int(cookie)
+        except ValueError:
+            return (UNCONFIGURED, "Invalid cookie: %r" % cookie)
+    else:
+        return (OPERATION_NOT_SUPPORTED_BY_HELPER,)
 
-        if cert == old_cert:
-            attempts += 1
-            if attempts < 4:
-                syslog.syslog(
-                    syslog.LOG_INFO,
-                    "Updated certificate for %s not available" % nickname)
-                # No cert available yet, tell certmonger to wait another 8 hours
-                return (WAIT_WITH_DELAY, 8 * 60 * 60, str(attempts))
+    old_cert = os.environ.get('CERTMONGER_CERTIFICATE')
+    if old_cert:
+        old_cert = x509.normalize_certificate(old_cert)
 
-        cert = base64.b64encode(cert)
-        cert = x509.make_pem(cert)
+    result = call_handler(retrieve_or_reuse_cert)
+    if result[0] != ISSUED:
+        return result
 
-    return (ISSUED, cert)
+    new_cert = x509.normalize_certificate(result[1])
+    if new_cert == old_cert:
+        attempts += 1
+        if attempts < 4:
+            syslog.syslog(syslog.LOG_INFO, "Updated certificate not available")
+            # No cert available yet, tell certmonger to wait another 8 hours
+            return (WAIT_WITH_DELAY, 8 * 60 * 60, str(attempts))
+
+    return result
 
 def export_csr():
     """
@@ -414,10 +424,11 @@ def renew_ca_cert():
 
 def main():
     handlers = {
-        'ipaStorage':       store_cert,
-        'ipaRetrieval':     retrieve_cert,
-        'ipaCSRExport':     export_csr,
-        'ipaCACertRenewal': renew_ca_cert,
+        'ipaStorage':           store_cert,
+        'ipaRetrievalOrReuse':  retrieve_or_reuse_cert,
+        'ipaRetrieval':         retrieve_cert,
+        'ipaCSRExport':         export_csr,
+        'ipaCACertRenewal':     renew_ca_cert,
     }
 
     api.bootstrap(context='renew')
author	Jan Cholasta <jcholast@redhat.com>	2014-10-14 11:12:55 +0200
committer	Petr Viktorin <pviktori@redhat.com>	2014-10-30 10:51:36 +0100
commit	35947c6e103a18c3f81af4b6d3795218a93b3b57 (patch)
tree	305bc1e38e0095d099dd5863f992c3f26b63e65e /install/certmonger
parent	a649a84a1bd7eb3c727fdcfc341b326a19b0ee5a (diff)
download	freeipa-35947c6e103a18c3f81af4b6d3795218a93b3b57.tar.gz freeipa-35947c6e103a18c3f81af4b6d3795218a93b3b57.tar.xz freeipa-35947c6e103a18c3f81af4b6d3795218a93b3b57.zip