Use dogtag-ipa-ca-renew-agent to retrieve renewed certificates from LDAP.

Before, this was done by dogtag-ipa-retrieve-agent-submit.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>

2 files changed, 27 insertions, 16 deletions

diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index 03f4b2373..e7edc64f2 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -369,7 +369,7 @@ def get_pin(token, dogtag_constants=None):
     return None
 
 def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, pre_command,
-                          post_command):
+                          post_command, profile=None):
     """
     Tell certmonger to start tracking a dogtag CA certificate. These
     are handled differently because their renewal must be done directly
@@ -423,12 +423,9 @@ def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, pre_command,
         args.append("-P")
         args.append(pin)
 
-    if ca == 'dogtag-ipa-retrieve-agent-submit':
-        # We cheat and pass in the nickname as the profile when
-        # renewing on a clone. The submit otherwise doesn't pass in the
-        # nickname and we need some way to find the right entry in LDAP.
+    if profile:
         args.append("-T")
-        args.append(nickname)
+        args.append(profile)
 
     (stdout, stderr, returncode) = ipautil.run(args, nolog=[pin])
 
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 710caae72..3458b312d 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -917,7 +917,15 @@ class CAInstance(service.Service):
         On upgrades this needs to be called from ipa-upgradeconfig.
         """
         try:
-            certmonger.dogtag_start_tracking('dogtag-ipa-retrieve-agent-submit', 'ipaCert', None, '/etc/httpd/alias/pwdfile.txt', '/etc/httpd/alias', None, 'restart_httpd')
+            certmonger.dogtag_start_tracking(
+                ca='dogtag-ipa-ca-renew-agent',
+                nickname='ipaCert',
+                pin=None,
+                pinfile='/etc/httpd/alias/pwdfile.txt',
+                secdir='/etc/httpd/alias',
+                pre_command=None,
+                post_command='restart_httpd',
+                profile='ipaRetrieval')
         except (ipautil.CalledProcessError, RuntimeError), e:
             root_logger.error(
                 "certmonger failed to start tracking certificate: %s" % str(e))
@@ -1356,7 +1364,7 @@ class CAInstance(service.Service):
         obj = bus.get_object('org.fedorahosted.certmonger',
                              '/org/fedorahosted/certmonger')
         iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
-        path = iface.find_ca_by_nickname('dogtag-ipa-retrieve-agent-submit')
+        path = iface.find_ca_by_nickname('dogtag-ipa-ca-renew-agent')
         if path:
             iface.remove_known_ca(path)
 
@@ -1460,11 +1468,11 @@ class CAInstance(service.Service):
         obj = bus.get_object('org.fedorahosted.certmonger',
                              '/org/fedorahosted/certmonger')
         iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
-        path = iface.find_ca_by_nickname('dogtag-ipa-retrieve-agent-submit')
+        path = iface.find_ca_by_nickname('dogtag-ipa-ca-renew-agent')
         if not path:
             iface.add_known_ca(
-                'dogtag-ipa-retrieve-agent-submit',
-                '/usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit', [])
+                'dogtag-ipa-ca-renew-agent',
+                '/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit', [])
 
     def configure_clone_renewal(self):
         """
@@ -1481,12 +1489,18 @@ class CAInstance(service.Service):
                          'subsystemCert cert-pki-ca']:
             try:
                 certmonger.dogtag_start_tracking(
-                    'dogtag-ipa-retrieve-agent-submit', nickname, pin, None,
-                    self.dogtag_constants.ALIAS_DIR, 'stop_pkicad',
-                    'restart_pkicad "%s"' % nickname)
+                    ca='dogtag-ipa-ca-renew-agent',
+                    nickname=nickname,
+                    pin=pin,
+                    pinfile=None,
+                    secdir=self.dogtag_constants.ALIAS_DIR,
+                    pre_command='stop_pkicad',
+                    post_command='restart_pkicad "%s"' % nickname,
+                    profile='ipaRetrieval')
             except (ipautil.CalledProcessError, RuntimeError), e:
-                    root_logger.error(
-                        "certmonger failed to start tracking certificate: %s" % str(e))
+                root_logger.error(
+                    "certmonger failed to start tracking certificate: "
+                    "%s" % e)
 
         # The agent renewal is configured in import_ra_cert which is called
         # after the HTTP instance is created.