def needs_resubmit(host, req_id):
"""Helper method to identify if cert request needs to be resubmitted
:param host: the host
:param req_id: request id to perform operation for
Returns True if resubmit needed else False
"""
# check if cert is in monitoring state
tasks.wait_for_certmonger_status(host, ('MONITORING'), req_id, timeout=600)
# check if cert is valid and not expired
cmd = host.run_command('getcert list -i {} | grep expires'.format(req_id))
cert_expiry = cmd.stdout_text.split(' ')
cert_expiry = datetime.strptime(cert_expiry[1], '%Y-%m-%d').date()
if cert_expiry > date.today():
return False
else:
return True
def test_certmomger_tracks_renewed_certs_during_interruptions(self):
"""Test that CA renewal handles early CA_WORKING and restarts
A non-renewal master CA might submit a renewal request before
the renewal master actually updating the certs. This is expected.
The tracking request will result in CA_WORKING.
This would trigger a different path within the IPA renewal
scripts which differentiate between a SUBMIT (new request) and
a POLL (resume request). The script was requiring a cookie
value for POLL requests which wasn't available and was
erroring out unrecoverably without restarting certmonger.
Submit a request for renewal early and wait for it to go into
CA_WORKING. Resubmit the request to ensure that the request
remains in CA_WORKING without reporting any ca_error like
Invalid cookie: ''
Use the submitted value in the certmonger request to validate
that the request was resubmitted and not rely on catching
the states directly.
Pagure Issue: https://pagure.io/freeipa/issue/8164
"""
cmd = ['getcert', 'list', '-f', paths.RA_AGENT_PEM]
result = self.replicas[0].run_command(cmd)
# Get Request ID and Submitted Values
request_id = get_certmonger_fs_id(result.stdout_text)
start_val = get_certmonger_request_value(self.replicas[0],
request_id, "submitted")
# at this point submitted value for RA agent cert should be
# 19700101000000 since it has never been submitted for renewal.
assert start_val == DEFAULT_RA_AGENT_SUBMITTED_VAL
cmd = ['getcert', 'resubmit', '-f', paths.RA_AGENT_PEM]
self.replicas[0].run_command(cmd)
tasks.wait_for_certmonger_status(self.replicas[0],
('CA_WORKING', 'MONITORING'),
request_id)
resubmit_val = get_certmonger_request_value(self.replicas[0],
request_id,
"submitted")
if resubmit_val == DEFAULT_RA_AGENT_SUBMITTED_VAL:
pytest.fail("Request was not resubmitted")
ca_error = get_certmonger_request_value(self.replicas[0],
request_id, "ca_error")
state = get_certmonger_request_value(self.replicas[0],
request_id, "state")
assert ca_error is None
assert state == 'CA_WORKING'
cmd = ['getcert', 'resubmit', '-f', paths.RA_AGENT_PEM]
self.replicas[0].run_command(cmd)
tasks.wait_for_certmonger_status(self.replicas[0],
('CA_WORKING', 'MONITORING'),
request_id)
resubmit2_val = get_certmonger_request_value(self.replicas[0],
request_id,
"submitted")
if resubmit_val == DEFAULT_RA_AGENT_SUBMITTED_VAL:
pytest.fail("Request was not resubmitted")
assert resubmit2_val > resubmit_val
ca_error = get_certmonger_request_value(self.replicas[0],
request_id, "ca_error")
state = get_certmonger_request_value(self.replicas[0],
request_id, "state")
assert ca_error is None
assert state == 'CA_WORKING'
def test_renew_expired_cert_replica(self, expire_certs):
"""Test renewal of certificates on replica with ipa-cert-fix
This is to check that ipa-cert-fix renews the certificates
on replica
related: https://pagure.io/freeipa/issue/7885
"""
# wait for cert expiry
check_status(self.master, 8, "CA_UNREACHABLE")
self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
check_status(self.master, 9, "MONITORING")
# replica operations
# 'Server-Cert cert-pki-ca' cert will be in CA_UNREACHABLE state
cmd = self.replicas[0].run_command([
'getcert', 'list', '-d', paths.PKI_TOMCAT_ALIAS_DIR, '-n',
'Server-Cert cert-pki-ca'
])
req_id = get_certmonger_fs_id(cmd.stdout_text)
tasks.wait_for_certmonger_status(self.replicas[0], ('CA_UNREACHABLE'),
req_id,
timeout=600)
# get initial expiry date to compare later with renewed cert
initial_expiry = get_cert_expiry(self.replicas[0],
paths.PKI_TOMCAT_ALIAS_DIR,
'Server-Cert cert-pki-ca')
# check that HTTP,LDAP,PKINIT are renewed and in MONITORING state
instance = realm_to_serverid(self.master.domain.realm)
dirsrv_cert = paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
for cert in (paths.KDC_CERT, paths.HTTPD_CERT_FILE):
cmd = self.replicas[0].run_command(['getcert', 'list', '-f', cert])
req_id = get_certmonger_fs_id(cmd.stdout_text)
tasks.wait_for_certmonger_status(self.replicas[0], ('MONITORING'),
req_id,
timeout=600)
cmd = self.replicas[0].run_command(
['getcert', 'list', '-d', dirsrv_cert])
req_id = get_certmonger_fs_id(cmd.stdout_text)
tasks.wait_for_certmonger_status(self.replicas[0], ('MONITORING'),
req_id,
timeout=600)
# check if replication working fine
testuser = '******'
password = '******'
stdin = (f"{self.master.config.admin_password}\n"
f"{self.master.config.admin_password}\n"
f"{self.master.config.admin_password}\n")
self.master.run_command(['kinit', 'admin'], stdin_text=stdin)
tasks.user_add(self.master, testuser, password=password)
self.replicas[0].run_command(['kinit', 'admin'], stdin_text=stdin)
self.replicas[0].run_command(['ipa', 'user-show', testuser])
# renew shared certificates by resubmitting to certmonger
cmd = self.replicas[0].run_command(
['getcert', 'list', '-f', paths.RA_AGENT_PEM])
req_id = get_certmonger_fs_id(cmd.stdout_text)
if needs_resubmit(self.replicas[0], req_id):
self.replicas[0].run_command(['getcert', 'resubmit', '-i', req_id])
tasks.wait_for_certmonger_status(self.replicas[0], ('MONITORING'),
req_id,
timeout=600)
for cert_nick in ('auditSigningCert cert-pki-ca',
'ocspSigningCert cert-pki-ca',
'subsystemCert cert-pki-ca'):
cmd = self.replicas[0].run_command([
'getcert', 'list', '-d', paths.PKI_TOMCAT_ALIAS_DIR, '-n',
cert_nick
])
req_id = get_certmonger_fs_id(cmd.stdout_text)
if needs_resubmit(self.replicas[0], req_id):
self.replicas[0].run_command(
['getcert', 'resubmit', '-i', req_id])
tasks.wait_for_certmonger_status(self.replicas[0],
('MONITORING'),
req_id,
timeout=600)
self.replicas[0].run_command(['ipa-cert-fix', '-v'],
stdin_text='yes\n')
check_status(self.replicas[0], 9, "MONITORING")
# Sometimes certmonger takes time to update the cert status
# So check in nssdb instead of relying on getcert command
renewed_expiry = get_cert_expiry(self.replicas[0],
paths.PKI_TOMCAT_ALIAS_DIR,
'Server-Cert cert-pki-ca')
assert renewed_expiry > initial_expiry
