From ccaacaaf054e9d597159e14714ab41069173da10 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 14 Oct 2014 11:26:15 +0200 Subject: [PATCH] Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage This should not normally happen, but if it does, report an error instead of waiting idefinitely for the certificate to appear. https://fedorahosted.org/freeipa/ticket/4629 Reviewed-By: David Kupka --- .../certmonger/dogtag-ipa-ca-renew-agent-submit | 40 +++++++++------------- ipaserver/install/ipa_cacert_manage.py | 3 +- 2 files changed, 19 insertions(+), 24 deletions(-) diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 9a01eb3a08900a5c8d04953b41f4493f30c2b56f..e5ad9639b03b95e6e265214067a985f6c3ca0b2a 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -311,25 +311,11 @@ def retrieve_or_reuse_cert(): return (ISSUED, cert) -def retrieve_cert(): +def retrieve_cert_continuous(): """ - Retrieve new certificate from LDAP. + Retrieve new certificate from LDAP. Repeat every eight hours until the + certificate is available. """ - operation = os.environ.get('CERTMONGER_OPERATION') - if operation == 'SUBMIT': - attempts = 0 - elif operation == 'POLL': - cookie = os.environ.get('CERTMONGER_CA_COOKIE') - if not cookie: - return (UNCONFIGURED, "Cookie not provided") - - try: - attempts = int(cookie) - except ValueError: - return (UNCONFIGURED, "Invalid cookie: %r" % cookie) - else: - return (OPERATION_NOT_SUPPORTED_BY_HELPER,) - old_cert = os.environ.get('CERTMONGER_CERTIFICATE') if old_cert: old_cert = x509.normalize_certificate(old_cert) @@ -340,11 +326,19 @@ def retrieve_cert(): new_cert = x509.normalize_certificate(result[1]) if new_cert == old_cert: - attempts += 1 - if attempts < 4: - syslog.syslog(syslog.LOG_INFO, "Updated certificate not available") - # No cert available yet, tell certmonger to wait another 8 hours - return (WAIT_WITH_DELAY, 8 * 60 * 60, str(attempts)) + syslog.syslog(syslog.LOG_INFO, "Updated certificate not available") + # No cert available yet, tell certmonger to wait another 8 hours + return (WAIT_WITH_DELAY, 8 * 60 * 60, '') + + return result + +def retrieve_cert(): + """ + Retrieve new certificate from LDAP. + """ + result = call_handler(retrieve_cert_continuous) + if result[0] == WAIT_WITH_DELAY: + return (REJECTED, "Updated certificate not available") return result @@ -451,7 +445,7 @@ def main(): if ca.is_renewal_master(): handler = request_and_store_cert else: - handler = retrieve_cert + handler = retrieve_cert_continuous res = call_handler(handler) for item in res[1:]: diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py index a521e3965321d3345075d7fc4a55fb9c6904a652..2a8d95fdbebecf543a05afd47275c32684cad970 100644 --- a/ipaserver/install/ipa_cacert_manage.py +++ b/ipaserver/install/ipa_cacert_manage.py @@ -297,7 +297,8 @@ class CACertManage(admintool.AdminTool): raise admintool.ScriptError( "Resubmitting certmonger request '%s' timed out, " "please check the request manually" % self.request_id) - if state != 'MONITORING': + ca_error = certmonger.get_request_value(self.request_id, 'ca-error') + if state != 'MONITORING' or ca_error: raise admintool.ScriptError( "Error resubmitting certmonger request '%s', " "please check the request manually" % self.request_id) -- 2.1.0