From 588f1ddce2f69fd5e80d3271c9c8d80d312d350f Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Jul 22 2019 03:33:24 +0000 Subject: dogtaginstance: avoid special cases for Server-Cert The Dogtag "Server-Cert cert-pki-ca" certificate is treated specially, with its own track_servercert() method and other special casing. But there is no real need for this - the only (potential) difference is the token name. Account for the token name difference with a lookup method and treat all Dogtag system certs equally w.r.t. tracking request creation and removal. Part of: https://pagure.io/freeipa/issue/7991 Reviewed-By: Rob Crittenden --- diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index b732e1b..f9eea2e 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -267,6 +267,8 @@ class CAInstance(DogtagInstance): 2 = have signed cert, continue installation """ + server_cert_name = 'Server-Cert cert-pki-ca' + # Mapping of nicknames for tracking requests, and the profile to # use for that certificate. 'configure_renewal()' reads this # dict. The profile MUST be specified. @@ -275,8 +277,12 @@ class CAInstance(DogtagInstance): 'ocspSigningCert cert-pki-ca': 'caOCSPCert', 'subsystemCert cert-pki-ca': 'caSubsystemCert', 'caSigningCert cert-pki-ca': 'caCACert', + server_cert_name: 'caServerCert', } - server_cert_name = 'Server-Cert cert-pki-ca' + token_names = { + server_cert_name: 'internal', # Server-Cert always on internal token + } + # The following must be aligned with the RewriteRule defined in # install/share/ipa-pki-proxy.conf.template crl_rewrite_pattern = r"^\s*(RewriteRule\s+\^/ipa/crl/MasterCRL.bin\s.*)$" @@ -443,7 +449,6 @@ class CAInstance(DogtagInstance): "Ensuring backward compatibility", self.__dogtag10_migration) self.step("configure certificate renewals", self.configure_renewal) - self.step("configure Server-Cert certificate renewal", self.track_servercert) self.step("Configure HTTP to proxy connections", self.http_proxy) self.step("restarting certificate server", self.restart_instance) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 1827edb..132ae3b 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -95,18 +95,22 @@ class DogtagInstance(service.Service): CA, KRA, and eventually TKS and TPS. """ - # Mapping of nicknames for tracking requests, and the profile to use for - # that certificate. 'configure_renewal()' reads this dict and adds the - # profile if configured. Certificates that use the default profile - # ("caServerCert", as defined by dogtag-ipa-renew-agent which is part of - # Certmonger) are omitted. + # Mapping of nicknames for tracking requests, and the profile to + # use for that certificate. 'configure_renewal()' reads this + # dict and adds the profile if configured. tracking_reqs = dict() - server_cert_name = None # token for CA and subsystem certificates. For now, only internal token # is supported. token_name = "internal" + # override token for specific nicknames + token_names = dict() + + def get_token_name(self, nickname): + """Look up token name for nickname.""" + return self.token_names.get(nickname, self.token_name) + ipaca_groups = DN(('ou', 'groups'), ('o', 'ipaca')) ipaca_people = DN(('ou', 'people'), ('o', 'ipaca')) groups_aci = ( @@ -323,15 +327,16 @@ class DogtagInstance(service.Service): def configure_renewal(self): """ Configure certmonger to renew system certs """ - pin = self.__get_pin(self.token_name) for nickname in self.tracking_reqs: + token_name = self.get_token_name(nickname) + pin = self.__get_pin(token_name) try: certmonger.start_tracking( certpath=self.nss_db, ca='dogtag-ipa-ca-renew-agent', nickname=nickname, - token_name=self.token_name, + token_name=token_name, pin=pin, pre_command='stop_pkicad', post_command='renew_ca_cert "%s"' % nickname, @@ -341,29 +346,6 @@ class DogtagInstance(service.Service): logger.error( "certmonger failed to start tracking certificate: %s", e) - def track_servercert(self): - """ - Specifically do not tell certmonger to restart the CA. This will be - done by the renewal script, renew_ca_cert once all the subsystem - certificates are renewed. - """ - # server cert is always stored in internal token - token_name = "internal" - pin = self.__get_pin(token_name) - try: - certmonger.start_tracking( - certpath=self.nss_db, - ca='dogtag-ipa-ca-renew-agent', - nickname=self.server_cert_name, - token_name=token_name, - pin=pin, - pre_command='stop_pkicad', - post_command='renew_ca_cert "%s"' % self.server_cert_name - ) - except RuntimeError as e: - logger.error( - "certmonger failed to start tracking certificate: %s", e) - def stop_tracking_certificates(self, stop_certmonger=True): """Stop tracking our certificates. Called on uninstall. """ @@ -377,11 +359,7 @@ class DogtagInstance(service.Service): services.knownservices.dbus.start() cmonger.start() - nicknames = list(self.tracking_reqs) - if self.server_cert_name is not None: - nicknames.append(self.server_cert_name) - - for nickname in nicknames: + for nickname in self.tracking_reqs: try: certmonger.stop_tracking( self.nss_db, nickname=nickname) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 40f6071..056dba5 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -974,11 +974,7 @@ def certificate_renewal_update(ca, ds, http): requests = [] - dogtag_system_nicks = ( - list(cainstance.CAInstance.tracking_reqs) + - [cainstance.CAInstance.server_cert_name] - ) - for nick in dogtag_system_nicks: + for nick in cainstance.CAInstance.tracking_reqs: req = { 'cert-database': paths.PKI_TOMCAT_ALIAS_DIR, 'cert-nickname': nick, @@ -1074,7 +1070,6 @@ def certificate_renewal_update(ca, ds, http): ca.configure_certmonger_renewal() ca.configure_renewal() ca.configure_agent_renewal() - ca.track_servercert() ca.add_lightweight_ca_tracking_requests() ds.start_tracking_certificates(serverid) http.start_tracking_certificates()