From ef6aa6759bfc7e0a46e1dafefb3a1b9d15b5f553 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Oct 17 2017 15:34:29 +0000
Subject: ipa-server-upgrade: do not add untracked certs to the request list


If LDAP or HTTP Server Cert are not issued by ipa ca, they are not tracked.
In this case, it is not necessary to add them to the tracking requests list.

https://pagure.io/freeipa/issue/7151

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index e657a5a..725e8af 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -970,19 +970,6 @@ def certificate_renewal_update(ca, ds, http):
             'cert-presave-command': template % 'renew_ra_cert_pre',
             'cert-postsave-command': template % 'renew_ra_cert',
         },
-        {
-            'cert-database': paths.HTTPD_ALIAS_DIR,
-            'cert-nickname': http.get_mod_nss_nickname(),
-            'ca-name': 'IPA',
-            'cert-postsave-command': template % 'restart_httpd',
-        },
-        {
-            'cert-database': dsinstance.config_dirname(serverid)[:-1],
-            'cert-nickname': ds.get_server_cert_nickname(serverid),
-            'ca-name': 'IPA',
-            'cert-postsave-command':
-                '%s %s' % (template % 'restart_dirsrv', serverid),
-        }
     ]
 
     logger.info("[Update certmonger certificate renewal configuration]")
@@ -990,6 +977,34 @@ def certificate_renewal_update(ca, ds, http):
         logger.info('CA is not configured')
         return False
 
+    # Check the http server cert if issued by IPA
+    http_nickname = http.get_mod_nss_nickname()
+    http_db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
+    if http_db.is_ipa_issued_cert(api, http_nickname):
+        requests.append(
+            {
+                'cert-database': paths.HTTPD_ALIAS_DIR,
+                'cert-nickname': http_nickname,
+                'ca-name': 'IPA',
+                'cert-postsave-command': template % 'restart_httpd',
+            }
+        )
+
+    # Check the ldap server cert if issued by IPA
+    ds_nickname = ds.get_server_cert_nickname(serverid)
+    ds_db_dirname = dsinstance.config_dirname(serverid)
+    ds_db = certs.CertDB(api.env.realm, nssdir=ds_db_dirname)
+    if ds_db.is_ipa_issued_cert(api, ds_nickname):
+        requests.append(
+            {
+                'cert-database': ds_db_dirname[:-1],
+                'cert-nickname': ds_nickname,
+                'ca-name': 'IPA',
+                'cert-postsave-command':
+                    '%s %s' % (template % 'restart_dirsrv', serverid),
+            }
+        )
+
     db = certs.CertDB(api.env.realm, paths.PKI_TOMCAT_ALIAS_DIR)
     for nickname, _trust_flags in db.list_certs():
         if nickname.startswith('caSigningCert cert-pki-ca '):
@@ -1011,6 +1026,8 @@ def certificate_renewal_update(ca, ds, http):
         if request_id is None:
             break
     else:
+        logger.info("Certmonger certificate renewal configuration already "
+                    "up-to-date")
         return False
 
     # Ok, now we need to stop tracking, then we can start tracking them