summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xinstall/certmonger/dogtag-ipa-ca-renew-agent-submit40
-rw-r--r--ipaserver/install/ipa_cacert_manage.py3
2 files changed, 19 insertions, 24 deletions
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index 9a01eb3a0..e5ad9639b 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -311,25 +311,11 @@ def retrieve_or_reuse_cert():
return (ISSUED, cert)
-def retrieve_cert():
+def retrieve_cert_continuous():
"""
- Retrieve new certificate from LDAP.
+ Retrieve new certificate from LDAP. Repeat every eight hours until the
+ certificate is available.
"""
- operation = os.environ.get('CERTMONGER_OPERATION')
- if operation == 'SUBMIT':
- attempts = 0
- elif operation == 'POLL':
- cookie = os.environ.get('CERTMONGER_CA_COOKIE')
- if not cookie:
- return (UNCONFIGURED, "Cookie not provided")
-
- try:
- attempts = int(cookie)
- except ValueError:
- return (UNCONFIGURED, "Invalid cookie: %r" % cookie)
- else:
- return (OPERATION_NOT_SUPPORTED_BY_HELPER,)
-
old_cert = os.environ.get('CERTMONGER_CERTIFICATE')
if old_cert:
old_cert = x509.normalize_certificate(old_cert)
@@ -340,11 +326,19 @@ def retrieve_cert():
new_cert = x509.normalize_certificate(result[1])
if new_cert == old_cert:
- attempts += 1
- if attempts < 4:
- syslog.syslog(syslog.LOG_INFO, "Updated certificate not available")
- # No cert available yet, tell certmonger to wait another 8 hours
- return (WAIT_WITH_DELAY, 8 * 60 * 60, str(attempts))
+ syslog.syslog(syslog.LOG_INFO, "Updated certificate not available")
+ # No cert available yet, tell certmonger to wait another 8 hours
+ return (WAIT_WITH_DELAY, 8 * 60 * 60, '')
+
+ return result
+
+def retrieve_cert():
+ """
+ Retrieve new certificate from LDAP.
+ """
+ result = call_handler(retrieve_cert_continuous)
+ if result[0] == WAIT_WITH_DELAY:
+ return (REJECTED, "Updated certificate not available")
return result
@@ -451,7 +445,7 @@ def main():
if ca.is_renewal_master():
handler = request_and_store_cert
else:
- handler = retrieve_cert
+ handler = retrieve_cert_continuous
res = call_handler(handler)
for item in res[1:]:
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
index a521e3965..2a8d95fdb 100644
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -297,7 +297,8 @@ class CACertManage(admintool.AdminTool):
raise admintool.ScriptError(
"Resubmitting certmonger request '%s' timed out, "
"please check the request manually" % self.request_id)
- if state != 'MONITORING':
+ ca_error = certmonger.get_request_value(self.request_id, 'ca-error')
+ if state != 'MONITORING' or ca_error:
raise admintool.ScriptError(
"Error resubmitting certmonger request '%s', "
"please check the request manually" % self.request_id)