|
 |
bbecb6 |
From f10d1a0f84ed0f16ab4a1469f16ffadb3e79e59e Mon Sep 17 00:00:00 2001
|
|
|
bbecb6 |
From: Rob Crittenden <rcritten@redhat.com>
|
|
|
bbecb6 |
Date: Fri, 27 Jan 2023 14:05:37 -0500
|
|
|
bbecb6 |
Subject: [PATCH] doc: add the --run command for manual job execution
|
|
|
bbecb6 |
|
|
|
bbecb6 |
A manual method was mentioned with no specificity. Include
|
|
|
bbecb6 |
the --run command. Also update the troubleshooting section
|
|
|
bbecb6 |
to show what failure to restart the CA after configuration
|
|
|
bbecb6 |
looks like.
|
|
|
bbecb6 |
|
|
|
bbecb6 |
Import the IPA CA chain for manual execution.
|
|
|
bbecb6 |
|
|
|
bbecb6 |
Also fix up some $ -> # to indicate root is needed.
|
|
|
bbecb6 |
|
|
|
bbecb6 |
Related: https://pagure.io/freeipa/issue/9294
|
|
|
bbecb6 |
|
|
|
bbecb6 |
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
|
bbecb6 |
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
bbecb6 |
---
|
|
|
bbecb6 |
doc/designs/expired_certificate_pruning.md | 46 +++++++++++++++-------
|
|
|
bbecb6 |
1 file changed, 32 insertions(+), 14 deletions(-)
|
|
|
bbecb6 |
|
|
|
bbecb6 |
diff --git a/doc/designs/expired_certificate_pruning.md b/doc/designs/expired_certificate_pruning.md
|
|
|
bbecb6 |
index 2c10d914020d3c12b6abb028323cd6796ec33e00..a23e452696ba2a150c4ad5a3e57360ae0a16a338 100644
|
|
|
bbecb6 |
--- a/doc/designs/expired_certificate_pruning.md
|
|
|
bbecb6 |
+++ b/doc/designs/expired_certificate_pruning.md
|
|
|
bbecb6 |
@@ -139,7 +139,7 @@ No validation of setting February 31st will be done. That will be left to PKI. B
|
|
|
bbecb6 |
|
|
|
bbecb6 |
### Disabling pruning
|
|
|
bbecb6 |
|
|
|
bbecb6 |
-`$ ipa-acme-manage pruning --enable=FALSE`
|
|
|
bbecb6 |
+`# ipa-acme-manage pruning --enable=FALSE`
|
|
|
bbecb6 |
|
|
|
bbecb6 |
This will remove the configuration option for `jobsScheduler.job.pruning.cron` just to be sure it no longer runs.
|
|
|
bbecb6 |
|
|
|
bbecb6 |
@@ -147,46 +147,46 @@ This will remove the configuration option for `jobsScheduler.job.pruning.cron` j
|
|
|
bbecb6 |
|
|
|
bbecb6 |
#### Pruning certificates
|
|
|
bbecb6 |
|
|
|
bbecb6 |
-`$ ipa-acme-manage pruning --certretention=VALUE --certretentionunit=UNIT`
|
|
|
bbecb6 |
+`# ipa-acme-manage pruning --certretention=VALUE --certretentionunit=UNIT`
|
|
|
bbecb6 |
|
|
|
bbecb6 |
will be the equivalent of:
|
|
|
bbecb6 |
|
|
|
bbecb6 |
-`$ pki-server ca-config-set jobsScheduler.job.pruning.certRetentionTime 30`
|
|
|
bbecb6 |
+`# pki-server ca-config-set jobsScheduler.job.pruning.certRetentionTime 30`
|
|
|
bbecb6 |
|
|
|
bbecb6 |
-`$ pki-server ca-config-set jobsScheduler.job.pruning.certRetentionUnit day`
|
|
|
bbecb6 |
+`# pki-server ca-config-set jobsScheduler.job.pruning.certRetentionUnit day`
|
|
|
bbecb6 |
|
|
|
bbecb6 |
The unit will always be required when modifying the time.
|
|
|
bbecb6 |
|
|
|
bbecb6 |
-`$ ipa-acme-manage pruning --certsearchsizelimit=VALUE --certsearchtimelimit=VALUE`
|
|
|
bbecb6 |
+`# ipa-acme-manage pruning --certsearchsizelimit=VALUE --certsearchtimelimit=VALUE`
|
|
|
bbecb6 |
|
|
|
bbecb6 |
will be the equivalent of:
|
|
|
bbecb6 |
|
|
|
bbecb6 |
-`$ pki-server ca-config-set jobsScheduler.job.pruning.certSearchSizeLimit 1000`
|
|
|
bbecb6 |
+`# pki-server ca-config-set jobsScheduler.job.pruning.certSearchSizeLimit 1000`
|
|
|
bbecb6 |
|
|
|
bbecb6 |
-`$ pki-server ca-config-set jobsScheduler.job.pruning.certSearchTimeLimit 0`
|
|
|
bbecb6 |
+`# pki-server ca-config-set jobsScheduler.job.pruning.certSearchTimeLimit 0`
|
|
|
bbecb6 |
|
|
|
bbecb6 |
A value of 0 for searchtimelimit is unlimited.
|
|
|
bbecb6 |
|
|
|
bbecb6 |
#### Pruning requests
|
|
|
bbecb6 |
|
|
|
bbecb6 |
-`$ ipa-acme-manage pruning --requestretention=VALUE --requestretentionunit=UNIT`
|
|
|
bbecb6 |
+`# ipa-acme-manage pruning --requestretention=VALUE --requestretentionunit=UNIT`
|
|
|
bbecb6 |
|
|
|
bbecb6 |
will be the equivalent of:
|
|
|
bbecb6 |
|
|
|
bbecb6 |
-`$ pki-server ca-config-set jobsScheduler.job.pruning.requestRetentionTime 30`
|
|
|
bbecb6 |
+`# pki-server ca-config-set jobsScheduler.job.pruning.requestRetentionTime 30`
|
|
|
bbecb6 |
|
|
|
bbecb6 |
-`$ pki-server ca-config-set jobsScheduler.job.pruning.requestRetentionUnit day`
|
|
|
bbecb6 |
+`# pki-server ca-config-set jobsScheduler.job.pruning.requestRetentionUnit day`
|
|
|
bbecb6 |
|
|
|
bbecb6 |
The unit will always be required when modifying the time.
|
|
|
bbecb6 |
|
|
|
bbecb6 |
-`$ ipa-acme-manage pruning --requestsearchsizelimit=VALUE --requestsearchtimelimit=VALUE`
|
|
|
bbecb6 |
+`# ipa-acme-manage pruning --requestsearchsizelimit=VALUE --requestsearchtimelimit=VALUE`
|
|
|
bbecb6 |
|
|
|
bbecb6 |
|
|
|
bbecb6 |
will be the equivalent of:
|
|
|
bbecb6 |
|
|
|
bbecb6 |
-`$ pki-server ca-config-set jobsScheduler.job.pruning.requestSearchSizeLimit 1000`
|
|
|
bbecb6 |
+`# pki-server ca-config-set jobsScheduler.job.pruning.requestSearchSizeLimit 1000`
|
|
|
bbecb6 |
|
|
|
bbecb6 |
-`$ pki-server ca-config-set jobsScheduler.job.pruning.requestSearchTimeLimit 0`
|
|
|
bbecb6 |
+`# pki-server ca-config-set jobsScheduler.job.pruning.requestSearchTimeLimit 0`
|
|
|
bbecb6 |
|
|
|
bbecb6 |
A value of 0 for searchtimelimit is unlimited.
|
|
|
bbecb6 |
|
|
|
bbecb6 |
@@ -212,10 +212,15 @@ Request search time limit: 0
|
|
|
bbecb6 |
Cron: 0 0 1 * *
|
|
|
bbecb6 |
```
|
|
|
bbecb6 |
|
|
|
bbecb6 |
+### Manual pruning
|
|
|
bbecb6 |
+
|
|
|
bbecb6 |
+`# ipa-acme-manage pruning --run`
|
|
|
bbecb6 |
+
|
|
|
bbecb6 |
+This is useful for testing the configuration or if the user wants to use the system cron or systemd timers for handling automation.
|
|
|
bbecb6 |
+
|
|
|
bbecb6 |
## Implementation
|
|
|
bbecb6 |
|
|
|
bbecb6 |
For online REST operations (login, run job) we will use the `ipaserver/plugins/dogtag.py::RestClient` class to manage the requests. This will take care of the authentication cookie, etc.
|
|
|
bbecb6 |
-
|
|
|
bbecb6 |
The class uses dogtag.https_request() will can take PEM cert and key files as arguments. These will be used for authentication.
|
|
|
bbecb6 |
|
|
|
bbecb6 |
For the non-REST operations (configuration, cron settings) the tool will fork out to pki-server ca-config-set.
|
|
|
bbecb6 |
@@ -239,6 +244,7 @@ Overview of the CLI commands. Example:
|
|
|
bbecb6 |
| ipa-acme-manage pruning | --requestretention=30 --requestretentionunit=day |
|
|
|
bbecb6 |
| ipa-acme-manage pruning | --requestsearchsizelimit=1000 --requestsearchtimelimit=0 |
|
|
|
bbecb6 |
| ipa-acme-manage pruning | --config-show |
|
|
|
bbecb6 |
+| ipa-acme-manage pruning | --run |
|
|
|
bbecb6 |
|
|
|
bbecb6 |
ipa-acme-manage can only be run as root.
|
|
|
bbecb6 |
|
|
|
bbecb6 |
@@ -295,3 +301,15 @@ The PKI debug log will contain job information.
|
|
|
bbecb6 |
2022-12-08 21:15:24 [pruning] INFO: PruningJob: - filter: (&(!(requestState=complete))(requestModifyTime<=1667942124527)(!(requestModifyTime=1667942124527)))
|
|
|
bbecb6 |
2022-12-08 21:15:24 [pruning] INFO: LDAPSession: Searching ou=ca, ou=requests,o=ipaca for (&(!(requestState=complete))(dateOfModify<=20221108211524Z)(!(dateOfModify=20221108211524Z)))
|
|
|
bbecb6 |
```
|
|
|
bbecb6 |
+
|
|
|
bbecb6 |
+### Manual execution fails with Forbidden
|
|
|
bbecb6 |
+
|
|
|
bbecb6 |
+If manually running pruning fails with a message like:
|
|
|
bbecb6 |
+
|
|
|
bbecb6 |
+```console
|
|
|
bbecb6 |
+# ipa-acme-manage pruning --run
|
|
|
bbecb6 |
+CalledProcessError(Command ['pki', '-C', '/tmp/tmppyyd3hfq/pwdfile.txt', '-d', '/tmp/tmppyyd3hfq', '-n', 'CN=IPA RA,O=EXAMPLE.TEST', 'ca-job-start', 'pruning'] returned non-zero exit status 255: 'PKIException: Forbidden\n')
|
|
|
bbecb6 |
+The ipa-acme-manage command failed.
|
|
|
bbecb6 |
+```
|
|
|
bbecb6 |
+
|
|
|
bbecb6 |
+You probably forgot to restart the CA after enabling pruning.
|
|
|
bbecb6 |
--
|
|
|
bbecb6 |
2.39.1
|
|
|
bbecb6 |
|