From da3e6ab68f4f40b2851770fcc928b5bb93831c42 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Mon, 24 Apr 2017 06:20:07 +0000 Subject: [PATCH] renew agent: always export CSR on IPA CA certificate renewal Make sure a CSR is exported for the IPA CA whenever certmonger detects that the CA certificate is about to expire. This is a pre-requisite for using the `dogtag-ipa-ca-renew-agent-reuse` CA instead of the `ipaCSRExport` virtual profile to export the CSR. https://pagure.io/freeipa/issue/5799 Reviewed-By: David Kupka Reviewed-By: Stanislav Laznicka --- install/certmonger/dogtag-ipa-ca-renew-agent-submit | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 7b5489555d069856a6da7a21b5ab2b0f4dd4a41c..657a1bc638e1da680522c638e92914098fc6ab4b 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -451,6 +451,10 @@ def renew_ca_cert(reuse_existing, **kwargs): """ This is used for automatic CA certificate renewal. """ + csr = os.environ.get('CERTMONGER_CSR') + if not csr: + return (UNCONFIGURED, "Certificate request not provided") + cert = os.environ.get('CERTMONGER_CERTIFICATE') if not cert: return (REJECTED, "New certificate requests not supported") @@ -462,6 +466,13 @@ def renew_ca_cert(reuse_existing, **kwargs): if is_self_signed and not reuse_existing and is_renewal_master(): state = 'request' + + csr_file = paths.IPA_CA_CSR + try: + with open(csr_file, 'wb') as f: + f.write(csr) + except Exception as e: + return (UNREACHABLE, "Failed to write %s: %s" % (csr_file, e)) elif operation == 'POLL': cookie = os.environ.get('CERTMONGER_CA_COOKIE') if not cookie: -- 2.9.3