ipa/0040-Enable-pruning-when-Random-Serial-Numbers-are-enable.patch

From 6f304bac61eadbacf4f176421c6927b92b74685e Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 11 Sep 2024 16:33:00 -0400
Subject: [PATCH] Enable pruning when Random Serial Numbers are enabled

When using short-lived certs (ACME) along with normal certificate
issuance the expired certs can build over time in the PKI database.
This can cause issues with replication, performance and overall
database size.

Random Serial Numbers v3 (RSNv3) is mandatory to enable pruning
so if we have it enabled then enable pruning to avoid future issues.

Related: https://pagure.io/freeipa/issue/9661

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
---
 ipaserver/install/cainstance.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index d0c3b6b940a2b99f0fa747a4dc8c6fc800e4ca12..f3ed9fff8510072f0ad210beaaea151a3099082b 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -471,6 +471,8 @@ class CAInstance(DogtagInstance):
             self.step(
                 "Ensuring backward compatibility",
                 self.__dogtag10_migration)
+            if self.random_serial_numbers:
+                self.step("enable certificate pruning", self.enable_pruning)
             if promote:
                 self.step("destroying installation admin user",
                           self.teardown_admin)
@@ -790,6 +792,17 @@ class CAInstance(DogtagInstance):
                                    'NSS_ENABLE_PKIX_VERIFY', '1',
                                    quotes=False, separator='=')
 
+    def enable_pruning(self):
+        directivesetter.set_directive(paths.CA_CS_CFG_PATH,
+                                      'jobsScheduler.enabled', 'true',
+                                      quotes=False, separator='=')
+        directivesetter.set_directive(paths.CA_CS_CFG_PATH,
+                                      'jobsScheduler.job.pruning.enabled',
+                                      'true', quotes=False, separator='=')
+        directivesetter.set_directive(paths.CA_CS_CFG_PATH,
+                                      'jobsScheduler.job.pruning.owner',
+                                      'ipara', quotes=False, separator='=')
+
     def __import_ra_cert(self):
         """
         Helper method for IPA domain level 0 replica install
-- 
2.47.0
ipa-4.12.2-8 - Resolves: RHEL-69300 Support GSSAPI in Cockpit on IPA servers - Resolves: RHEL-68447 ipa trust-add fails in FIPS mode with an internal error has occurred - Resolves: RHEL-57674 Use RSNv3 and enable cert pruning by default in RHEL 10.0 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> 2024-11-27 18:43:17 +00:00			`From 6f304bac61eadbacf4f176421c6927b92b74685e Mon Sep 17 00:00:00 2001`
			`From: Rob Crittenden <rcritten@redhat.com>`
			`Date: Wed, 11 Sep 2024 16:33:00 -0400`
			`Subject: [PATCH] Enable pruning when Random Serial Numbers are enabled`

			`When using short-lived certs (ACME) along with normal certificate`
			`issuance the expired certs can build over time in the PKI database.`
			`This can cause issues with replication, performance and overall`
			`database size.`

			`Random Serial Numbers v3 (RSNv3) is mandatory to enable pruning`
			`so if we have it enabled then enable pruning to avoid future issues.`

			`Related: https://pagure.io/freeipa/issue/9661`

			`Signed-off-by: Rob Crittenden <rcritten@redhat.com>`
			`Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>`
			`Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>`
			`Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>`
			`---`
			`ipaserver/install/cainstance.py \| 13 +++++++++++++`
			`1 file changed, 13 insertions(+)`

			`diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py`
			`index d0c3b6b940a2b99f0fa747a4dc8c6fc800e4ca12..f3ed9fff8510072f0ad210beaaea151a3099082b 100644`
			`--- a/ipaserver/install/cainstance.py`
			`+++ b/ipaserver/install/cainstance.py`
			`@@ -471,6 +471,8 @@ class CAInstance(DogtagInstance):`
			`self.step(`
			`"Ensuring backward compatibility",`
			`self.__dogtag10_migration)`
			`+ if self.random_serial_numbers:`
			`+ self.step("enable certificate pruning", self.enable_pruning)`
			`if promote:`
			`self.step("destroying installation admin user",`
			`self.teardown_admin)`
			`@@ -790,6 +792,17 @@ class CAInstance(DogtagInstance):`
			`'NSS_ENABLE_PKIX_VERIFY', '1',`
			`quotes=False, separator='=')`

			`+ def enable_pruning(self):`
			`+ directivesetter.set_directive(paths.CA_CS_CFG_PATH,`
			`+ 'jobsScheduler.enabled', 'true',`
			`+ quotes=False, separator='=')`
			`+ directivesetter.set_directive(paths.CA_CS_CFG_PATH,`
			`+ 'jobsScheduler.job.pruning.enabled',`
			`+ 'true', quotes=False, separator='=')`
			`+ directivesetter.set_directive(paths.CA_CS_CFG_PATH,`
			`+ 'jobsScheduler.job.pruning.owner',`
			`+ 'ipara', quotes=False, separator='=')`
			`+`
			`def __import_ra_cert(self):`
			`"""`
			`Helper method for IPA domain level 0 replica install`
			`--`
			`2.47.0`