Moving ipaCert from HTTPD_ALIAS_DIR

The "ipaCert" nicknamed certificate is not required to be
in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy
of this file in a separate file anyway. Remove it from there
and track only the file. Remove the IPA_RADB_DIR as well as
it is not required anymore.

https://fedorahosted.org/freeipa/ticket/5695
https://fedorahosted.org/freeipa/ticket/6680

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

2 files changed, 25 insertions, 15 deletions

diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index 2e67c7e5a..cc690b8fa 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -217,10 +217,12 @@ def request_cert():
     syslog.syslog(syslog.LOG_NOTICE,
                   "Forwarding request to dogtag-ipa-renew-agent")
 
-    path = paths.DOGTAG_IPA_RENEW_AGENT_SUBMIT
-    args = [path, '--dbdir', paths.IPA_RADB_DIR]
-    args.extend(sys.argv[1:])
-    args.extend(['--submit-option', "requestor_name=IPA"])
+    args = ([paths.DOGTAG_IPA_RENEW_AGENT_SUBMIT,
+             "--cafile", paths.IPA_CA_CRT,
+             "--certfile", paths.RA_AGENT_PEM,
+             "--keyfile", paths.RA_AGENT_KEY] +
+            sys.argv[1:] +
+            ['--submit-option', "requestor_name=IPA"])
     if os.environ.get('CERTMONGER_CA_PROFILE') == 'caCACert':
         args += ['-N', '-O', 'bypassCAnotafter=true']
     result = ipautil.run(args, raiseonerr=False, env=os.environ,
diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert
index 4dc6c2e4f..5c71d5791 100644
--- a/install/restart_scripts/renew_ra_cert
+++ b/install/restart_scripts/renew_ra_cert
@@ -27,15 +27,15 @@ import tempfile
 import shutil
 import traceback
 
+from cryptography.hazmat.primitives import serialization
+
 from ipalib.install.kinit import kinit_keytab
-from ipalib import api
-from ipaserver.install import certs, cainstance, dogtaginstance
+from ipalib import api, x509
+from ipaserver.install import certs, cainstance
 from ipaplatform.paths import paths
 
 
 def _main():
-    nickname = 'ipaCert'
-
     api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
     api.finalize()
     api.Backend.ldap2.connect()
@@ -48,20 +48,28 @@ def _main():
         os.environ['KRB5CCNAME'] = ccache_filename
 
         ca = cainstance.CAInstance(host_name=api.env.host)
+        ra_certpath = paths.RA_AGENT_PEM
         if ca.is_renewal_master():
             # Fetch the new certificate
-            db = certs.CertDB(api.env.realm)
-            dercert = db.get_cert_from_db(nickname, pem=False)
-            if not dercert:
+            try:
+                cert = x509.load_certificate_from_file(ra_certpath)
+            except IOError as e:
+                syslog.syslog(
+                    syslog.LOG_ERR, "Can't open '{certpath}': {err}"
+                    .format(certpath=ra_certpath, err=e)
+                )
+                sys.exit(1)
+            except (TypeError, ValueError):
                 syslog.syslog(
-                    syslog.LOG_ERR, "No certificate %s found." % nickname)
+                    syslog.LOG_ERR, "'{certpath}' is not a valid certificate "
+                    "file".format(certpath=ra_certpath)
+                )
                 sys.exit(1)
 
+            dercert = cert.public_bytes(serialization.Encoding.DER)
+
             # Load it into dogtag
             cainstance.update_people_entry(dercert)
-
-        if api.Command.kra_is_enabled()['result']:
-            dogtaginstance.export_ra_agent_pem()
     finally:
         shutil.rmtree(tmpdir)
         api.Backend.ldap2.disconnect()