From 6f304bac61eadbacf4f176421c6927b92b74685e Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Wed, 11 Sep 2024 16:33:00 -0400 Subject: [PATCH] Enable pruning when Random Serial Numbers are enabled When using short-lived certs (ACME) along with normal certificate issuance the expired certs can build over time in the PKI database. This can cause issues with replication, performance and overall database size. Random Serial Numbers v3 (RSNv3) is mandatory to enable pruning so if we have it enabled then enable pruning to avoid future issues. Related: https://pagure.io/freeipa/issue/9661 Signed-off-by: Rob Crittenden Reviewed-By: Florence Blanc-Renaud Reviewed-By: Alexander Bokovoy Reviewed-By: Rafael Guterres Jeffman --- ipaserver/install/cainstance.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index d0c3b6b940a2b99f0fa747a4dc8c6fc800e4ca12..f3ed9fff8510072f0ad210beaaea151a3099082b 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -471,6 +471,8 @@ class CAInstance(DogtagInstance): self.step( "Ensuring backward compatibility", self.__dogtag10_migration) + if self.random_serial_numbers: + self.step("enable certificate pruning", self.enable_pruning) if promote: self.step("destroying installation admin user", self.teardown_admin) @@ -790,6 +792,17 @@ class CAInstance(DogtagInstance): 'NSS_ENABLE_PKIX_VERIFY', '1', quotes=False, separator='=') + def enable_pruning(self): + directivesetter.set_directive(paths.CA_CS_CFG_PATH, + 'jobsScheduler.enabled', 'true', + quotes=False, separator='=') + directivesetter.set_directive(paths.CA_CS_CFG_PATH, + 'jobsScheduler.job.pruning.enabled', + 'true', quotes=False, separator='=') + directivesetter.set_directive(paths.CA_CS_CFG_PATH, + 'jobsScheduler.job.pruning.owner', + 'ipara', quotes=False, separator='=') + def __import_ra_cert(self): """ Helper method for IPA domain level 0 replica install -- 2.47.0