From ccaacaaf054e9d597159e14714ab41069173da10 Mon Sep 17 00:00:00 2001

From: Jan Cholasta <jcholast@redhat.com>

Date: Tue, 14 Oct 2014 11:26:15 +0200

Subject: [PATCH] Fail if certmonger can't see new CA certificate in LDAP in

 ipa-cacert-manage

This should not normally happen, but if it does, report an error instead of

waiting idefinitely for the certificate to appear.

https://fedorahosted.org/freeipa/ticket/4629

Reviewed-By: David Kupka <dkupka@redhat.com>

---

 .../certmonger/dogtag-ipa-ca-renew-agent-submit    | 40 +++++++++-------------

 ipaserver/install/ipa_cacert_manage.py             |  3 +-

 2 files changed, 19 insertions(+), 24 deletions(-)

diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit

index 9a01eb3a08900a5c8d04953b41f4493f30c2b56f..e5ad9639b03b95e6e265214067a985f6c3ca0b2a 100755

--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit

+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit

@@ -311,25 +311,11 @@ def retrieve_or_reuse_cert():

     return (ISSUED, cert)

-def retrieve_cert():

+def retrieve_cert_continuous():

     """

-    Retrieve new certificate from LDAP.

+    Retrieve new certificate from LDAP. Repeat every eight hours until the

+    certificate is available.

     """

-    operation = os.environ.get('CERTMONGER_OPERATION')

-    if operation == 'SUBMIT':

-        attempts = 0

-    elif operation == 'POLL':

-        cookie = os.environ.get('CERTMONGER_CA_COOKIE')

-        if not cookie:

-            return (UNCONFIGURED, "Cookie not provided")

-

-        try:

-            attempts = int(cookie)

-        except ValueError:

-            return (UNCONFIGURED, "Invalid cookie: %r" % cookie)

-    else:

-        return (OPERATION_NOT_SUPPORTED_BY_HELPER,)

-

     old_cert = os.environ.get('CERTMONGER_CERTIFICATE')

     if old_cert:

         old_cert = x509.normalize_certificate(old_cert)

@@ -340,11 +326,19 @@ def retrieve_cert():

     new_cert = x509.normalize_certificate(result[1])

     if new_cert == old_cert:

-        attempts += 1

-        if attempts < 4:

-            syslog.syslog(syslog.LOG_INFO, "Updated certificate not available")

-            # No cert available yet, tell certmonger to wait another 8 hours

-            return (WAIT_WITH_DELAY, 8 * 60 * 60, str(attempts))

+        syslog.syslog(syslog.LOG_INFO, "Updated certificate not available")

+        # No cert available yet, tell certmonger to wait another 8 hours

+        return (WAIT_WITH_DELAY, 8 * 60 * 60, '')

+

+    return result

+

+def retrieve_cert():

+    """

+    Retrieve new certificate from LDAP.

+    """

+    result = call_handler(retrieve_cert_continuous)

+    if result[0] == WAIT_WITH_DELAY:

+        return (REJECTED, "Updated certificate not available")

     return result

@@ -451,7 +445,7 @@ def main():

             if ca.is_renewal_master():

                 handler = request_and_store_cert

             else:

-                handler = retrieve_cert

+                handler = retrieve_cert_continuous

         res = call_handler(handler)

         for item in res[1:]:

diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py

index a521e3965321d3345075d7fc4a55fb9c6904a652..2a8d95fdbebecf543a05afd47275c32684cad970 100644

--- a/ipaserver/install/ipa_cacert_manage.py

+++ b/ipaserver/install/ipa_cacert_manage.py

@@ -297,7 +297,8 @@ class CACertManage(admintool.AdminTool):

             raise admintool.ScriptError(

                 "Resubmitting certmonger request '%s' timed out, "

                 "please check the request manually" % self.request_id)

-        if state != 'MONITORING':

+        ca_error = certmonger.get_request_value(self.request_id, 'ca-error')

+        if state != 'MONITORING' or ca_error:

             raise admintool.ScriptError(

                 "Error resubmitting certmonger request '%s', "

                 "please check the request manually" % self.request_id)

-- 

2.1.0