From ec5eb844c9df24cc54bc9c532ad090683430b4ca Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Jul 22 2019 06:00:18 +0000 Subject: dogtag-ipa-ca-renew-agent: always use profile-based renewal Update the renewal helper to always request a new certificate ("enrollment request") instead of using "renewal request". The latter is brittle in the face of: - missing certificate record in database - missing original request record in database (pointed to by certificate record) - "mismatched" certificate or request records (there have been many cases of this; it is suspected that request/serial range conflicts, or something similar, may be the cause) The Dogtag tracking request must know what profile to use, except where the certificate uses the default profile ("caServerCert" per 'dogtag-ipa-renew-agent' implementation in Certmonger itself). This part of the puzzle was dealt with in previous commits. Part of: https://pagure.io/freeipa/issue/7991 Reviewed-By: Rob Crittenden --- diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in index cd3a1bd..19e50da 100644 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in @@ -203,9 +203,9 @@ def request_cert(reuse_existing, **kwargs): "--certfile", paths.RA_AGENT_PEM, "--keyfile", paths.RA_AGENT_KEY] + sys.argv[1:] + - ['--submit-option', "requestor_name=IPA"]) - if os.environ.get('CERTMONGER_CA_PROFILE') == 'caCACert': - args += ['--force-new', '--approval-option', 'bypassCAnotafter=true'] + ['--submit-option', "requestor_name=IPA"] + + ['--force-new', '--approval-option', 'bypassCAnotafter=true'] + ) result = ipautil.run(args, raiseonerr=False, env=os.environ, capture_output=True) if six.PY2: