summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin Babinsky <mbabinsk@redhat.com>2017-03-14 09:56:07 +0100
committerMartin Basti <mbasti@redhat.com>2017-03-15 16:39:39 +0100
commit95768de06fbef78169329af12b29e4d65e4bf157 (patch)
tree968fe608ec9d9e80b8c1dd92f041a891e2f4da3d
parent46d4d534c08d14756b989e157e87a078d174ad5c (diff)
downloadfreeipa-95768de06fbef78169329af12b29e4d65e4bf157.tar.gz
freeipa-95768de06fbef78169329af12b29e4d65e4bf157.tar.xz
freeipa-95768de06fbef78169329af12b29e4d65e4bf157.zip
Make PKINIT certificate request logic consistent with other installers
The certmonger request handling code during pkinit setup actually never correctly handled situations when certificate request was rejected by the CA or CA was unreachable. This led to subtle errors caused by broken anonymous pkinit (e.g. failing WebUI logins) which are hard to debug. The code should behave as other service installers, e. g. use `request_and_wait_for_cert` method which raises hard error when request times out or is not granted by CA. On master contact Dogtag CA endpoint directly as is done in DS installation. https://pagure.io/freeipa/issue/6739 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-rw-r--r--ipaserver/install/krbinstance.py16
1 files changed, 8 insertions, 8 deletions
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 08d39e243..c74fe40fa 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -357,10 +357,15 @@ class KrbInstance(service.Service):
subject = str(DN(('cn', self.fqdn), self.subject_base))
krbtgt = "krbtgt/" + self.realm + "@" + self.realm
certpath = (paths.KDC_CERT, paths.KDC_KEY)
+
try:
- reqid = certmonger.request_cert(certpath, subject, krbtgt,
- dns=self.fqdn, storage='FILE',
- profile='KDCs_PKINIT_Certs')
+ certmonger.request_and_wait_for_cert(
+ certpath,
+ subject,
+ krbtgt,
+ dns=self.fqdn,
+ storage='FILE',
+ profile='KDCs_PKINIT_Certs')
except dbus.DBusException as e:
# if the certificate is already tracked, ignore the error
name = e.get_dbus_name()
@@ -368,11 +373,6 @@ class KrbInstance(service.Service):
root_logger.error("Failed to initiate the request: %s", e)
return
- try:
- certmonger.wait_for_request(reqid)
- except RuntimeError as e:
- root_logger.error("Failed to wait for request: %s", e)
-
# Finally copy the cacert in the krb directory so we don't
# have any selinux issues with the file context
shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM)