def needs_resubmit(host, req_id): """Helper method to identify if cert request needs to be resubmitted :param host: the host :param req_id: request id to perform operation for Returns True if resubmit needed else False """ # check if cert is in monitoring state tasks.wait_for_certmonger_status(host, ('MONITORING'), req_id, timeout=600) # check if cert is valid and not expired cmd = host.run_command('getcert list -i {} | grep expires'.format(req_id)) cert_expiry = cmd.stdout_text.split(' ') cert_expiry = datetime.strptime(cert_expiry[1], '%Y-%m-%d').date() if cert_expiry > date.today(): return False else: return True
def test_certmomger_tracks_renewed_certs_during_interruptions(self): """Test that CA renewal handles early CA_WORKING and restarts A non-renewal master CA might submit a renewal request before the renewal master actually updating the certs. This is expected. The tracking request will result in CA_WORKING. This would trigger a different path within the IPA renewal scripts which differentiate between a SUBMIT (new request) and a POLL (resume request). The script was requiring a cookie value for POLL requests which wasn't available and was erroring out unrecoverably without restarting certmonger. Submit a request for renewal early and wait for it to go into CA_WORKING. Resubmit the request to ensure that the request remains in CA_WORKING without reporting any ca_error like Invalid cookie: '' Use the submitted value in the certmonger request to validate that the request was resubmitted and not rely on catching the states directly. Pagure Issue: https://pagure.io/freeipa/issue/8164 """ cmd = ['getcert', 'list', '-f', paths.RA_AGENT_PEM] result = self.replicas[0].run_command(cmd) # Get Request ID and Submitted Values request_id = get_certmonger_fs_id(result.stdout_text) start_val = get_certmonger_request_value(self.replicas[0], request_id, "submitted") # at this point submitted value for RA agent cert should be # 19700101000000 since it has never been submitted for renewal. assert start_val == DEFAULT_RA_AGENT_SUBMITTED_VAL cmd = ['getcert', 'resubmit', '-f', paths.RA_AGENT_PEM] self.replicas[0].run_command(cmd) tasks.wait_for_certmonger_status(self.replicas[0], ('CA_WORKING', 'MONITORING'), request_id) resubmit_val = get_certmonger_request_value(self.replicas[0], request_id, "submitted") if resubmit_val == DEFAULT_RA_AGENT_SUBMITTED_VAL: pytest.fail("Request was not resubmitted") ca_error = get_certmonger_request_value(self.replicas[0], request_id, "ca_error") state = get_certmonger_request_value(self.replicas[0], request_id, "state") assert ca_error is None assert state == 'CA_WORKING' cmd = ['getcert', 'resubmit', '-f', paths.RA_AGENT_PEM] self.replicas[0].run_command(cmd) tasks.wait_for_certmonger_status(self.replicas[0], ('CA_WORKING', 'MONITORING'), request_id) resubmit2_val = get_certmonger_request_value(self.replicas[0], request_id, "submitted") if resubmit_val == DEFAULT_RA_AGENT_SUBMITTED_VAL: pytest.fail("Request was not resubmitted") assert resubmit2_val > resubmit_val ca_error = get_certmonger_request_value(self.replicas[0], request_id, "ca_error") state = get_certmonger_request_value(self.replicas[0], request_id, "state") assert ca_error is None assert state == 'CA_WORKING'
def test_renew_expired_cert_replica(self, expire_certs): """Test renewal of certificates on replica with ipa-cert-fix This is to check that ipa-cert-fix renews the certificates on replica related: https://pagure.io/freeipa/issue/7885 """ # wait for cert expiry check_status(self.master, 8, "CA_UNREACHABLE") self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n') check_status(self.master, 9, "MONITORING") # replica operations # 'Server-Cert cert-pki-ca' cert will be in CA_UNREACHABLE state cmd = self.replicas[0].run_command([ 'getcert', 'list', '-d', paths.PKI_TOMCAT_ALIAS_DIR, '-n', 'Server-Cert cert-pki-ca' ]) req_id = get_certmonger_fs_id(cmd.stdout_text) tasks.wait_for_certmonger_status(self.replicas[0], ('CA_UNREACHABLE'), req_id, timeout=600) # get initial expiry date to compare later with renewed cert initial_expiry = get_cert_expiry(self.replicas[0], paths.PKI_TOMCAT_ALIAS_DIR, 'Server-Cert cert-pki-ca') # check that HTTP,LDAP,PKINIT are renewed and in MONITORING state instance = realm_to_serverid(self.master.domain.realm) dirsrv_cert = paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance for cert in (paths.KDC_CERT, paths.HTTPD_CERT_FILE): cmd = self.replicas[0].run_command(['getcert', 'list', '-f', cert]) req_id = get_certmonger_fs_id(cmd.stdout_text) tasks.wait_for_certmonger_status(self.replicas[0], ('MONITORING'), req_id, timeout=600) cmd = self.replicas[0].run_command( ['getcert', 'list', '-d', dirsrv_cert]) req_id = get_certmonger_fs_id(cmd.stdout_text) tasks.wait_for_certmonger_status(self.replicas[0], ('MONITORING'), req_id, timeout=600) # check if replication working fine testuser = '******' password = '******' stdin = (f"{self.master.config.admin_password}\n" f"{self.master.config.admin_password}\n" f"{self.master.config.admin_password}\n") self.master.run_command(['kinit', 'admin'], stdin_text=stdin) tasks.user_add(self.master, testuser, password=password) self.replicas[0].run_command(['kinit', 'admin'], stdin_text=stdin) self.replicas[0].run_command(['ipa', 'user-show', testuser]) # renew shared certificates by resubmitting to certmonger cmd = self.replicas[0].run_command( ['getcert', 'list', '-f', paths.RA_AGENT_PEM]) req_id = get_certmonger_fs_id(cmd.stdout_text) if needs_resubmit(self.replicas[0], req_id): self.replicas[0].run_command(['getcert', 'resubmit', '-i', req_id]) tasks.wait_for_certmonger_status(self.replicas[0], ('MONITORING'), req_id, timeout=600) for cert_nick in ('auditSigningCert cert-pki-ca', 'ocspSigningCert cert-pki-ca', 'subsystemCert cert-pki-ca'): cmd = self.replicas[0].run_command([ 'getcert', 'list', '-d', paths.PKI_TOMCAT_ALIAS_DIR, '-n', cert_nick ]) req_id = get_certmonger_fs_id(cmd.stdout_text) if needs_resubmit(self.replicas[0], req_id): self.replicas[0].run_command( ['getcert', 'resubmit', '-i', req_id]) tasks.wait_for_certmonger_status(self.replicas[0], ('MONITORING'), req_id, timeout=600) self.replicas[0].run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n') check_status(self.replicas[0], 9, "MONITORING") # Sometimes certmonger takes time to update the cert status # So check in nssdb instead of relying on getcert command renewed_expiry = get_cert_expiry(self.replicas[0], paths.PKI_TOMCAT_ALIAS_DIR, 'Server-Cert cert-pki-ca') assert renewed_expiry > initial_expiry