The framework needs to use the KRA Agent cert by using a copy stored in a PEM file. This copy is not trakced by certmonger so once expired the framework's KRA commands will break.
The KRa agent should be stored only in one file and tracked by certmonger.
Instead of having certmonger track the KRA agent cert in multiple locations, the PEM file can be exported from the NSS database for each request. To improve the performance the PEM file can be cached. The cache should be invalidated if the KRA authentication fails.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1257074
The idea is to deal with this by having the framework code actually pull the PEM at runtime and cache it, then check if permission denied/cert expired is raised on its operations and pull again a new PEM from the nssdb and cache it, on the presumption that certmonger will have updated the cert in the NSSDB in the meanwhile.
This can be done in the post-command script that already exists for ipaCert, renew_ra_cert.
You can extract the data into discrete files when it gets renewed the framework wouldn't have to be aware of this at all.
Note that you'll also need to pre-create the PEM versions during install/upgrade but it should be a one-time operation.
Also after the KRA agent cert is renewed, the cert mapping to the KRA agent user needs to be updated in the PKI database. The mapping is stored in the LDAP entry of the KRA agent user:
dn: uid=ipakra,ou=people,o=kra,o=ipaca ... description: <cert version>;<serial number>;<issuer DN>;<subject DN> userCertificate: <DER encoded cert>
Note: cert version is 2
For now this should be done using LDAPI in IPA. In the future PKI will provide tools to update the cert mapping via LDAPI (https://fedorahosted.org/pki/ticket/1574) and IPA should use that instead.
The ipaCert is also used by the CA agent, so if it's renewed the mapping needs to be updated as well in PKI database:
dn: uid=ipara,ou=people,o=ipaca ... description: <cert version>;<serial number>;<issuer DN>;<subject DN> userCertificate: <DER encoded cert>
master:
ipa-4-2:
Metadata Update from @simo: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.2.1
Login to comment on this ticket.