From d07563b744060a4c4d02cb44de20d5589800f38e Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Oct 05 2017 10:57:10 +0000
Subject: ipa-cacert-manage: handle alternative tracking request CA name


For an externally-signed CA, if an earlier run of ipa-cacert-manage
was interrupted, the CA name in the IPA CA tracking request may have
been left as "dogtag-ipa-ca-renew-agent-reuse" (it gets reverted to
"dogtag-ipa-ca-renew-agent" at the end of the CSR generation
procedure).  `ipa-cacert-manage renew` currently only looks for a
tracking request with the "dogtag-ipa-ca-renew-agent" CA, so in this
scenario the program fails with message "CA certificate is not
tracked by certmonger".

To handle this scenario, if the IPA CA tracking request is not
found, try once again but with the "dogtag-ipa-ca-renew-agent-renew"
CA name.

Part of: https://pagure.io/freeipa/issue/6858

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

---

diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
index bff1678..f764638 100644
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -148,20 +148,30 @@ class CACertManage(admintool.AdminTool):
 
         api.Backend.ldap2.connect(bind_pw=password)
 
+    def _get_ca_request_id(self, ca_name):
+        """Lookup tracking request for IPA CA, using given ca-name."""
+        criteria = {
+            'cert-database': paths.PKI_TOMCAT_ALIAS_DIR,
+            'cert-nickname': self.cert_nickname,
+            'ca-name': ca_name,
+        }
+        return certmonger.get_request_id(criteria)
+
     def renew(self):
         ca = cainstance.CAInstance(api.env.realm)
         if not ca.is_configured():
             raise admintool.ScriptError("CA is not configured on this system")
 
-        criteria = {
-            'cert-database': paths.PKI_TOMCAT_ALIAS_DIR,
-            'cert-nickname': self.cert_nickname,
-            'ca-name': 'dogtag-ipa-ca-renew-agent',
-        }
-        self.request_id = certmonger.get_request_id(criteria)
+        self.request_id = self._get_ca_request_id('dogtag-ipa-ca-renew-agent')
         if self.request_id is None:
-            raise admintool.ScriptError(
-                "CA certificate is not tracked by certmonger")
+            # if external CA renewal was interrupted, the request may have
+            # been left with the "dogtag-ipa-ca-renew-agent-reuse" CA;
+            # look for it too
+            self.request_id = \
+                self._get_ca_request_id('dogtag-ipa-ca-renew-agent-reuse')
+            if self.request_id is None:
+                raise admintool.ScriptError(
+                    "CA certificate is not tracked by certmonger")
         logger.debug(
             "Found certmonger request id %r", self.request_id)