Remove CSR from CS.cfg and store them in certs folder #4588
Conversation
| The parameters `<subsystem_name>.<cert_id>.cert` and `<subsystem_name>.<cert_id>.certreq` are removed from `CS.cfg` files. | ||
| Certificates are retrieved from the nssdb configured and they are not stored in other places. | ||
| CSR are stored in the folder `<instance_config>/certs` as `<cert_nickname>.csr` and they are retrieved from this location. | ||
| For the cloning operation CSRs have to be specified in `pkispawn` configuration because they cannot be retrieved from the master configuration. |
There was a problem hiding this comment.
This means if someone has an automation for the cloning process (e.g. QE, IPA) this change will break it. I think initially we should continue supporting the existing mechanism (i.e. retrieving the CSRs from master) but we can generate a warning saying that we're deprecating this process and they will need to provide the CSRs to pkispawn. Then in the future we can drop the old code.
We probably should also consider providing a tool to export the CSRs more easily, e.g. creating a tarball containing all CSRs so the admin doesn't need to deal with multiple files.
There was a problem hiding this comment.
You might also want to update the IPA clone test to verify that the <instance>/certs/<nickname>.csr files exist on the clones.
There was a problem hiding this comment.
@edewata I miss this last comment. I'll add before merge or when working on the CSR healtcheck test.
| tags = subsystem.config['preop.cert.list'].split(',') | ||
| for tag in tags: | ||
| if tag == 'sslserver': | ||
| continue | ||
|
|
||
| # check CSR in CS.cfg | ||
| param = '%s.%s.certreq' % (subsystem.name, tag) | ||
| csr = subsystem.config.get(param) | ||
|
|
||
| if csr: | ||
| # CSR already exists | ||
| continue | ||
|
|
||
| # CSR doesn't exist, import from master | ||
| names.append(param) | ||
|
|
||
| if subsystem.name == 'ca': |
There was a problem hiding this comment.
I think this code needs to be restored, but instead of checking the <subsystem>.<tag>.certreq we should check the <instance>/certs/<nickname>.csr file. If the file exists we can skip it, but otherwise we need to import the CSR from the master.
There was a problem hiding this comment.
On the master side, we'll need to check if the requested param equals <subsystem>.<tag>.certreq we'll need to get the value from the CSR file:
https://github.com/dogtagpki/pki/blob/master/base/server/src/main/java/com/netscape/cms/servlet/csadmin/GetConfigEntries.java#L156
There was a problem hiding this comment.
I cannot verify what is present in the folder. It is not sure if it will be created but maybe I can check if they are provided. I'll do some tests.
fmarco76
force-pushed
the
ConfigurationFreeCSR
branch
from
28f4894 to
c001e0f
Compare
fmarco76
force-pushed
the
ConfigurationFreeCSR
branch
7 times, most recently
from
bb2698e to
15f9fda
Compare
There was a problem hiding this comment.
Thanks for the updates!
Please see my comments. I think we should fix the folder & file ownership, but the rest is just minor suggestions. If you prefer to fix the folder/file ownership in a separate PR that's fine too since we still have time before the release, so feel free to update/merge.
base/server/src/main/java/com/netscape/cms/servlet/csadmin/GetConfigEntries.java
Outdated
Show resolved
Hide resolved
fmarco76
force-pushed
the
ConfigurationFreeCSR
branch
3 times, most recently
from
908b8df to
436f01b
Compare
CSR are created and stored in `<instance_config>/certs` folder as `<certs_id>.csr` files. Fix dogtagpki#2111
Add a check of CSR between CA master and clone.
fmarco76
force-pushed
the
ConfigurationFreeCSR
branch
from
d4f81ec to
ce97033
Compare
|
Thanks for the update! Sorry, I just realized something else. It looks like the CSR files are sometimes called |
I think CSRs are always called with I used the nickname because the same |
|
Sorry, I was thinking about cert IDs returned by But let's merge this PR as is, then we can discuss further about this issue later. Thanks! |
fmarco76
force-pushed
the
ConfigurationFreeCSR
branch
4 times, most recently
from
a4e394c to
3e6614a
Compare
fmarco76
force-pushed
the
ConfigurationFreeCSR
branch
from
3e6614a to
cc58713
Compare
|
@edewata I have modified the file name so now they are stored as <cert_id>.csr where If all the test are OK I think we can merge. We have to define how the healcheck should work now. |
|
Kudos, SonarCloud Quality Gate passed! |
|
Awesome! Thanks @fmarco76! |
|
@edewata Thanks! |
CSR are created and stored in
<instance_config>/certsfolder as<certs_id>.csrfiles.Fix #2111