diff options
author | Jan Cholasta <jcholast@redhat.com> | 2014-03-12 11:36:30 +0100 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-07-30 16:04:21 +0200 |
commit | 031096324d384e51921dc73960dd9f7b5372ee65 (patch) | |
tree | adc209249bf0874f7ec89da267cc67050e55e4c1 /install | |
parent | ba3c7b4a8956c8be696c664a6023b5184b3eba5a (diff) | |
download | freeipa-031096324d384e51921dc73960dd9f7b5372ee65.tar.gz freeipa-031096324d384e51921dc73960dd9f7b5372ee65.tar.xz freeipa-031096324d384e51921dc73960dd9f7b5372ee65.zip |
Alert user when externally signed CA is about to expire.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'install')
-rwxr-xr-x | install/certmonger/dogtag-ipa-ca-renew-agent-submit | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 3956b5891..6fb9d7971 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -279,12 +279,13 @@ def renew_ca_cert(): cert = os.environ.get('CERTMONGER_CERTIFICATE') if not cert: return (REJECTED, "New certificate requests not supported") + is_self_signed = x509.is_self_signed(cert) operation = os.environ.get('CERTMONGER_OPERATION') if operation == 'SUBMIT': state = 'retrieve' - if x509.is_self_signed(cert): + if is_self_signed: ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) if ca.is_renewal_master(): state = 'request' @@ -304,6 +305,10 @@ def renew_ca_cert(): if state == 'retrieve': result = retrieve_cert() + if result[0] == WAIT_WITH_DELAY and not is_self_signed: + syslog.syslog(syslog.LOG_ALERT, + "IPA CA certificate is about to expire, " + "use ipa-cacert-manage to renew it") elif state == 'request': os.environ['CERTMONGER_CA_PROFILE'] = 'caCACert' result = request_and_store_cert() |