Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage

This should not normally happen, but if it does, report an error instead of waiting idefinitely for the certificate to appear. https://fedorahosted.org/freeipa/ticket/4629 Reviewed-By: David Kupka <dkupka@redhat.com>
author: Jan Cholasta <jcholast@redhat.com> 2014-10-14 11:26:15 +0200
committer: Martin Kosek <mkosek@redhat.com> 2014-11-05 15:26:42 +0100
commit: 2cf0f0a658ba3151596e3782c76d6273362080cf (patch)
tree: 0bbb689b6901a9c506402692fefd850c8e3598df /install/certmonger
parent: 364d466fd7def3589ddb9e4a9f8d73fc2df80439 (diff)
download: freeipa-2cf0f0a658ba3151596e3782c76d6273362080cf.tar.gz
freeipa-2cf0f0a658ba3151596e3782c76d6273362080cf.tar.xz
freeipa-2cf0f0a658ba3151596e3782c76d6273362080cf.zip
1 files changed, 17 insertions, 23 deletions
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index 9a01eb3a0..e5ad9639b 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -311,25 +311,11 @@ def retrieve_or_reuse_cert():
 
     return (ISSUED, cert)
 
-def retrieve_cert():
+def retrieve_cert_continuous():
     """
-    Retrieve new certificate from LDAP.
+    Retrieve new certificate from LDAP. Repeat every eight hours until the
+    certificate is available.
     """
-    operation = os.environ.get('CERTMONGER_OPERATION')
-    if operation == 'SUBMIT':
-        attempts = 0
-    elif operation == 'POLL':
-        cookie = os.environ.get('CERTMONGER_CA_COOKIE')
-        if not cookie:
-            return (UNCONFIGURED, "Cookie not provided")
-
-        try:
-            attempts = int(cookie)
-        except ValueError:
-            return (UNCONFIGURED, "Invalid cookie: %r" % cookie)
-    else:
-        return (OPERATION_NOT_SUPPORTED_BY_HELPER,)
-
     old_cert = os.environ.get('CERTMONGER_CERTIFICATE')
     if old_cert:
         old_cert = x509.normalize_certificate(old_cert)
@@ -340,11 +326,19 @@ def retrieve_cert():
 
     new_cert = x509.normalize_certificate(result[1])
     if new_cert == old_cert:
-        attempts += 1
-        if attempts < 4:
-            syslog.syslog(syslog.LOG_INFO, "Updated certificate not available")
-            # No cert available yet, tell certmonger to wait another 8 hours
-            return (WAIT_WITH_DELAY, 8 * 60 * 60, str(attempts))
+        syslog.syslog(syslog.LOG_INFO, "Updated certificate not available")
+        # No cert available yet, tell certmonger to wait another 8 hours
+        return (WAIT_WITH_DELAY, 8 * 60 * 60, '')
+
+    return result
+
+def retrieve_cert():
+    """
+    Retrieve new certificate from LDAP.
+    """
+    result = call_handler(retrieve_cert_continuous)
+    if result[0] == WAIT_WITH_DELAY:
+        return (REJECTED, "Updated certificate not available")
 
     return result
 
@@ -451,7 +445,7 @@ def main():
             if ca.is_renewal_master():
                 handler = request_and_store_cert
             else:
-                handler = retrieve_cert
+                handler = retrieve_cert_continuous
 
         res = call_handler(handler)
         for item in res[1:]:
author	Jan Cholasta <jcholast@redhat.com>	2014-10-14 11:26:15 +0200
committer	Martin Kosek <mkosek@redhat.com>	2014-11-05 15:26:42 +0100
commit	2cf0f0a658ba3151596e3782c76d6273362080cf (patch)
tree	0bbb689b6901a9c506402692fefd850c8e3598df /install/certmonger
parent	364d466fd7def3589ddb9e4a9f8d73fc2df80439 (diff)
download	freeipa-2cf0f0a658ba3151596e3782c76d6273362080cf.tar.gz freeipa-2cf0f0a658ba3151596e3782c76d6273362080cf.tar.xz freeipa-2cf0f0a658ba3151596e3782c76d6273362080cf.zip