diff options
author | Jan Cholasta <jcholast@redhat.com> | 2017-01-06 10:45:38 +0100 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2017-01-16 14:37:25 +0100 |
commit | d5af11f65cc2a2d6860579a63a173b67cb12bcf3 (patch) | |
tree | 57f8b9f5b9cc05191f7bf4fcd4e9daab30c1b419 | |
parent | 68cb4d2b0f6b28f20513371e46b279d80c0b3070 (diff) | |
download | freeipa-d5af11f65cc2a2d6860579a63a173b67cb12bcf3.tar.gz freeipa-d5af11f65cc2a2d6860579a63a173b67cb12bcf3.tar.xz freeipa-d5af11f65cc2a2d6860579a63a173b67cb12bcf3.zip |
renew agent: handle non-replicated certificates
In addition to replicated certificates (Dogtag certificates, RA
certificate), handle non-replicated certificates in
dogtag-ipa-ca-renew-agent as well.
https://fedorahosted.org/freeipa/ticket/5959
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-rwxr-xr-x | install/certmonger/dogtag-ipa-ca-renew-agent-submit | 25 |
1 files changed, 16 insertions, 9 deletions
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 2e137ad44..cb8f93b5f 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -108,6 +108,15 @@ def is_renewable(): return x509.is_self_signed(cert) or is_lightweight_ca() +def is_replicated(): + return not get_nickname() + + +def is_renewal_master(): + ca = cainstance.CAInstance(host_name=api.env.host) + return ca.is_renewal_master() + + @contextlib.contextmanager def ldap_connect(): conn = None @@ -447,10 +456,8 @@ def renew_ca_cert(): if operation == 'SUBMIT': state = 'retrieve' - if is_renewable(): - ca = cainstance.CAInstance(host_name=api.env.host) - if ca.is_renewal_master(): - state = 'request' + if is_renewable() and is_renewal_master(): + state = 'request' elif operation == 'POLL': cookie = os.environ.get('CERTMONGER_CA_COOKIE') if not cookie: @@ -506,14 +513,14 @@ def main(): certs.renewal_lock.acquire() try: profile = os.environ.get('CERTMONGER_CA_PROFILE') - if profile: - handler = handlers.get(profile, request_and_store_cert) - else: - ca = cainstance.CAInstance(host_name=api.env.host) - if ca.is_renewal_master(): + if is_replicated(): + if profile or is_renewal_master(): handler = request_and_store_cert else: handler = retrieve_cert_continuous + else: + handler = request_cert + handler = handlers.get(profile, handler) res = call_handler(handler) for item in res[1:]: |