From 1202d0149bbf82c2183896c86764d818e8b2f02c Mon Sep 17 00:00:00 2001 From: Endi S. Dewata Date: Oct 19 2023 05:44:27 +0000 Subject: Replace subsystem.select with CAInstance.is_crlgen_enabled() The subsystem.select is not a reliable indicator to determine whether the CA is a renewal master since there is no process in PKI to update the param when the role of the instance changes (from master to clone and vice versa) so the param has been removed in PKI 11.5. Instead, it's better to use CAInstance.is_crlgen_enabled() since CRL generation is only enabled in a renewal master. Signed-off-by: Endi Sukma Dewata Reviewed-By: Rob Crittenden Reviewed-By: Florence Blanc-Renaud --- diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py index 7267b56..fcbfb85 100644 --- a/ipaserver/install/plugins/ca_renewal_master.py +++ b/ipaserver/install/plugins/ca_renewal_master.py @@ -28,7 +28,6 @@ from ipalib.install import certmonger from ipalib.plugable import Registry from ipaplatform.paths import paths from ipapython.dn import DN -from ipapython import directivesetter logger = logging.getLogger(__name__) @@ -108,18 +107,9 @@ class update_ca_renewal_master(Updater): else: logger.debug("certmonger request for RA cert not found") - config = directivesetter.get_directive( - paths.CA_CS_CFG_PATH, 'subsystem.select', '=') - - if config == 'New': - pass - elif config == 'Clone': + if not ca.is_crlgen_enabled(): + # CA is not a renewal master return False, [] - else: - logger.warning( - "CS.cfg has unknown subsystem.select value '%s', " - "assuming local CA is not a renewal master", config) - return (False, False, []) update = { 'dn': dn,