From 683af82db848e457ec6855b4ea099a1b4ede66d8 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Dec 04 2018 16:49:33 +0000
Subject: certupdate: add commentary about certmonger behaviour


It is not obvious why we "renew" (reuse only) the IPA CA certificate
in ipa-certupdate.  Add some commentary to explain this behaviour.

Related: https://pagure.io/freeipa/issue/7751
See also: https://github.com/freeipa/freeipa/pull/2576#issuecomment-442220840

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

diff --git a/ipaclient/install/ipa_certupdate.py b/ipaclient/install/ipa_certupdate.py
index ea3765f..7a5d3f9 100644
--- a/ipaclient/install/ipa_certupdate.py
+++ b/ipaclient/install/ipa_certupdate.py
@@ -164,6 +164,17 @@ def update_server(certs):
     if request_id is not None:
         timeout = api.env.startup_timeout + 60
 
+        # The dogtag-ipa-ca-renew-agent-reuse Certmonger CA never
+        # actually renews the certificate; it only pulls it from the
+        # ca_renewal LDAP cert store.
+        #
+        # Why is this needed?  If the CA cert gets renewed long
+        # before its notAfter (expiry) date (e.g. to switch from
+        # self-signed to external, or to switch to new external CA),
+        # then the other (i.e. not caRenewalMaster) CA replicas will
+        # not promptly pick up the new CA cert.  So we make
+        # ipa-certupdate always check for an updated CA cert.
+        #
         logger.debug("resubmitting certmonger request '%s'", request_id)
         certmonger.resubmit_request(
             request_id, ca='dogtag-ipa-ca-renew-agent-reuse', profile='')