Use certmonger D-Bus API instead of messing with its files.

FreeIPA certmonger module changed to use D-Bus to communicate with certmonger.
Using the D-Bus API should be more stable and supported way of using cermonger than
tampering with its files.

>=certmonger-0.75.13 is needed for this to work.

https://fedorahosted.org/freeipa/ticket/4280

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

5 files changed, 14 insertions, 34 deletions

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 36a1db060..ce0561a08 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1327,7 +1327,7 @@ class CAInstance(DogtagInstance):
                 secdir=paths.HTTPD_ALIAS_DIR,
                 pre_command=None,
                 post_command='renew_ra_cert')
-        except (ipautil.CalledProcessError, RuntimeError), e:
+        except RuntimeError, e:
             self.log.error(
                 "certmonger failed to start tracking certificate: %s", e)
 
@@ -1369,7 +1369,7 @@ class CAInstance(DogtagInstance):
                 secdir=self.dogtag_constants.ALIAS_DIR,
                 pre_command=None,
                 post_command=None)
-        except (ipautil.CalledProcessError, RuntimeError), e:
+        except RuntimeError, e:
             self.log.error(
                 "certmonger failed to start tracking certificate: %s", e)
 
@@ -1382,7 +1382,7 @@ class CAInstance(DogtagInstance):
         cmonger.start()
         try:
             certmonger.stop_tracking(paths.HTTPD_ALIAS_DIR, nickname='ipaCert')
-        except (ipautil.CalledProcessError, RuntimeError), e:
+        except RuntimeError, e:
             root_logger.error(
                 "certmonger failed to stop tracking certificate: %s", e)
         cmonger.stop()
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 6569f5144..4d508cde8 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -547,46 +547,26 @@ class CertDB(object):
             else:
                 libpath = 'lib'
             command = paths.CERTMONGER_COMMAND_TEMPLATE % (libpath, command)
-        cmonger = services.knownservices.certmonger
-        cmonger.enable()
-        services.knownservices.messagebus.start()
-        cmonger.start()
         try:
-            (stdout, stderr, rc) = certmonger.start_tracking(nickname, self.secdir, password_file, command)
-        except (ipautil.CalledProcessError, RuntimeError), e:
+            request_id = certmonger.start_tracking(nickname, self.secdir, password_file, command)
+        except RuntimeError, e:
             root_logger.error("certmonger failed starting to track certificate: %s" % str(e))
             return
 
-        cmonger.stop()
         cert = self.get_cert_from_db(nickname)
         nsscert = x509.load_certificate(cert, dbdir=self.secdir)
         subject = str(nsscert.subject)
-        m = re.match('New tracking request "(\d+)" added', stdout)
-        if not m:
-            root_logger.error('Didn\'t get new %s request, got %s' % (cmonger.service_name, stdout))
-            raise RuntimeError('%s did not issue new tracking request for \'%s\' in \'%s\'. Use \'ipa-getcert list\' to list existing certificates.' % (cmonger.service_name, nickname, self.secdir))
-        request_id = m.group(1)
-
         certmonger.add_principal(request_id, principal)
         certmonger.add_subject(request_id, subject)
 
-        cmonger.start()
-
     def untrack_server_cert(self, nickname):
         """
         Tell certmonger to stop tracking the given certificate nickname.
         """
-
-        # Always start certmonger. We can't untrack something if it isn't
-        # running
-        cmonger = services.knownservices.certmonger
-        services.knownservices.messagebus.start()
-        cmonger.start()
         try:
             certmonger.stop_tracking(self.secdir, nickname=nickname)
-        except (ipautil.CalledProcessError, RuntimeError), e:
+        except RuntimeError, e:
             root_logger.error("certmonger failed to stop tracking certificate: %s" % str(e))
-        cmonger.stop()
 
     def create_server_cert(self, nickname, hostname, other_certdb=None, subject=None):
         """
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index c872f3103..6d9c788de 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -325,7 +325,7 @@ class DogtagInstance(service.Service):
                     pre_command='stop_pkicad',
                     post_command='renew_ca_cert "%s"' % nickname,
                     profile=profile)
-            except (ipautil.CalledProcessError, RuntimeError), e:
+            except RuntimeError, e:
                 self.log.error(
                     "certmonger failed to start tracking certificate: %s", e)
 
@@ -343,7 +343,7 @@ class DogtagInstance(service.Service):
             try:
                 certmonger.stop_tracking(
                     dogtag_constants.ALIAS_DIR, nickname=nickname)
-            except (ipautil.CalledProcessError, RuntimeError), e:
+            except RuntimeError, e:
                 self.log.error(
                     "certmonger failed to stop tracking certificate: %s", e)
 
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
index 64602c835..c681261e8 100644
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -153,8 +153,8 @@ class CACertManage(admintool.AdminTool):
             raise admintool.ScriptError("CA is not configured on this system")
 
         nss_dir = ca.dogtag_constants.ALIAS_DIR
-        criteria = (('cert_storage_location', nss_dir, certmonger.NPATH),
-                    ('cert_nickname', self.cert_nickname, None))
+        criteria = {'cert-database': nss_dir,
+                    'cert-nickname': self.cert_nickname}
         self.request_id = certmonger.get_request_id(criteria)
         if self.request_id is None:
             raise admintool.ScriptError(
diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py
index 37b5487fe..52508b589 100644
--- a/ipaserver/install/plugins/ca_renewal_master.py
+++ b/ipaserver/install/plugins/ca_renewal_master.py
@@ -52,10 +52,10 @@ class update_ca_renewal_master(PostUpdate):
             self.debug("found CA renewal master %s", entries[0].dn[1].value)
             return (False, False, [])
 
-        criteria = (
-            ('cert_storage_location', paths.HTTPD_ALIAS_DIR, certmonger.NPATH),
-            ('cert_nickname', 'ipaCert', None),
-        )
+        criteria = {
+            'cert-database': paths.HTTPD_ALIAS_DIR,
+            'cert-nickname': 'ipaCert',
+        }
         request_id = certmonger.get_request_id(criteria)
         if request_id is not None:
             self.debug("found certmonger request for ipaCert")