diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2013-10-16 08:55:17 +0000 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-03-25 16:54:55 +0100 |
| commit | b5d082ec4d08712f8be5b56ea248133a76fd923a (patch) | |
| tree | 8e8cec9087e7517ff057ffd99bcb200d914a5090 | |
| parent | c3169add3be4fdb4572d6e159766a1d3cbb7e3d8 (diff) | |
| download | freeipa-b5d082ec4d08712f8be5b56ea248133a76fd923a.tar.gz freeipa-b5d082ec4d08712f8be5b56ea248133a76fd923a.tar.xz freeipa-b5d082ec4d08712f8be5b56ea248133a76fd923a.zip | |
Make the default dogtag-ipa-ca-renew-agent behavior depend on CA setup.
On CA masters, a certificate is requested and stored to LDAP. On CA clones,
the certificate is retrieved from LDAP.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
| -rwxr-xr-x | install/certmonger/dogtag-ipa-ca-renew-agent-submit | 7 | ||||
| -rw-r--r-- | ipaserver/install/cainstance.py | 6 |
2 files changed, 8 insertions, 5 deletions
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 6da7f6dbf..e39da4a21 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -36,6 +36,7 @@ from ipapython import ipautil from ipapython.dn import DN from ipalib import api, errors, pkcs10, x509 from ipaserver.plugins.ldap2 import ldap2 +from ipaserver.install import cainstance, certs # This is a certmonger CA helper script for IPA CA subsystem cert renewal. See # https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/submit.txt for more @@ -256,7 +257,11 @@ def main(): if profile: handler = handlers.get(profile, request_and_store_cert) else: - handler = request_and_store_cert + ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) + if ca.is_renewal_master(): + handler = request_and_store_cert + else: + handler = retrieve_cert res = handler() for item in res[1:]: diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 99c008a67..6180e42b7 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -925,8 +925,7 @@ class CAInstance(service.Service): pinfile='/etc/httpd/alias/pwdfile.txt', secdir='/etc/httpd/alias', pre_command=None, - post_command='restart_httpd', - profile='ipaRetrieval') + post_command='restart_httpd') except (ipautil.CalledProcessError, RuntimeError), e: root_logger.error( "certmonger failed to start tracking certificate: %s" % str(e)) @@ -1504,8 +1503,7 @@ class CAInstance(service.Service): pinfile=None, secdir=self.dogtag_constants.ALIAS_DIR, pre_command='stop_pkicad', - post_command='restart_pkicad "%s"' % nickname, - profile='ipaRetrieval') + post_command='restart_pkicad "%s"' % nickname) except (ipautil.CalledProcessError, RuntimeError), e: root_logger.error( "certmonger failed to start tracking certificate: " |