URL: https://github.com/freeipa/freeipa/pull/5309 Author: flo-renaud Title: #5309: [Backport][ipa-4-8] Change KRA profiles in certmonger tracking so they can renew Action: opened
PR body: """ This PR was opened automatically because PR #5199 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5309/head:pr5309 git checkout pr5309
From 40aa3112785397f048cc9147ee7740fbe9cd3625 Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Thu, 15 Oct 2020 08:41:48 -0400 Subject: [PATCH 1/3] Change KRA profiles in certmonger tracking so they can renew Internal profiles were assigned which prevented rewewals. dogtag is providing a new profile for the audit signing cert, caAuditSigningCert. There are existing profiles for the transport (caTransportCert) and storage (caStorageCert) certificates. https://pagure.io/freeipa/issue/8545 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> --- ipaserver/install/krainstance.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index c876d8545eb..6a0fa538618 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -66,9 +66,9 @@ class KRAInstance(DogtagInstance): # use for that certificate. 'configure_renewal()' reads this # dict. The profile MUST be specified. tracking_reqs = { - 'auditSigningCert cert-pki-kra': 'caInternalAuthAuditSigningCert', - 'transportCert cert-pki-kra': 'caInternalAuthTransportCert', - 'storageCert cert-pki-kra': 'caInternalAuthDRMstorageCert', + 'auditSigningCert cert-pki-kra': 'caAuditSigningCert', + 'transportCert cert-pki-kra': 'caTransportCert', + 'storageCert cert-pki-kra': 'caStorageCert', } def __init__(self, realm): From 3638e64c6afd1378a7cb7f8becde4fe2e8e6a5db Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Thu, 15 Oct 2020 13:41:59 -0400 Subject: [PATCH 2/3] Test that the KRA profiles can renewal its three certificates The KRA was previously configured with Internal CA profiles which did not work with the IPA RA. Use public, common profiles to manage renewal of the KRA subsystem certificates. https://pagure.io/freeipa/issue/8545 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> --- .../test_integration/test_installation.py | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py index 6f003c2cdbf..d1bbb18b6e5 100644 --- a/ipatests/test_integration/test_installation.py +++ b/ipatests/test_integration/test_installation.py @@ -33,6 +33,7 @@ from ipatests.test_integration.base import IntegrationTest from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup from ipaplatform import services +from ipaserver.install import krainstance config = get_global_config() @@ -1045,6 +1046,38 @@ def test_install_master(self): def test_install_dns(self): tasks.install_dns(self.master) + def test_kra_certs_renewal(self): + """ + Test that the KRA subsystem certificates renew properly + """ + kra = krainstance.KRAInstance(self.master.domain.realm) + for nickname in kra.tracking_reqs: + cert = tasks.certutil_fetch_cert( + self.master, + paths.PKI_TOMCAT_ALIAS_DIR, + paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT, + nickname + ) + starting_serial = int(cert.serial_number) + cmd_arg = [ + 'ipa-getcert', 'resubmit', '-v', '-w', + '-d', paths.PKI_TOMCAT_ALIAS_DIR, + '-n', nickname, + ] + result = self.master.run_command(cmd_arg) + request_id = re.findall(r'\d+', result.stdout_text) + + status = tasks.wait_for_request(self.master, request_id[0], 120) + assert status == "MONITORING" + + cert = tasks.certutil_fetch_cert( + self.master, + paths.PKI_TOMCAT_ALIAS_DIR, + paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT, + nickname + ) + assert starting_serial != int(cert.serial_number) + class TestInstallMasterDNS(IntegrationTest): From d406a97dd6f0dfb0f80879391ebcd2e506b51052 Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Mon, 16 Nov 2020 09:42:52 -0500 Subject: [PATCH 3/3] Require PKI 10.10+ for KRA profile and ACME support https://pagure.io/freeipa/issue/8545 https://pagure.io/freeipa/issue/8524 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> --- freeipa.spec.in | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index ec158cae4e8..8ba962ee5fc 100755 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -108,9 +108,9 @@ # Fedora %endif -# PKIConnection has been modified to always validate certs. -# https://pagure.io/freeipa/issue/8379 -%global pki_version 10.9.0-0.4 +# New KRA profile, ACME support +# https://pagure.io/freeipa/issue/8545 +%global pki_version 10.10.0-2 # https://pagure.io/certmonger/issue/90 %global certmonger_version 0.79.7-1
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org