Replace subsystem.select with CAInstance.is_crlgen_enabled()

The subsystem.select is not a reliable indicator to determine whether the CA is a renewal master since there is no process in PKI to update the param when the role of the instance changes (from master to clone and vice versa) so the param has been removed in PKI 11.5. Instead, it's better to use CAInstance.is_crlgen_enabled() since CRL generation is only enabled in a renewal master. Signed-off-by: Endi Sukma Dewata <edewata@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
freeipa · Oct 19, 2023 · 1202d01 · 1202d01
1 parent 44349cf
commit 1202d01
Showing 1 changed file with 2 additions and 12 deletions.
diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py
@@ -28,7 +28,6 @@
 from ipalib.plugable import Registry
 from ipaplatform.paths import paths
 from ipapython.dn import DN
-from ipapython import directivesetter
 
 logger = logging.getLogger(__name__)
 
@@ -108,18 +107,9 @@ def execute(self, **options):
         else:
             logger.debug("certmonger request for RA cert not found")
 
-            config = directivesetter.get_directive(
-                paths.CA_CS_CFG_PATH, 'subsystem.select', '=')
-
-            if config == 'New':
-                pass
-            elif config == 'Clone':
+            if not ca.is_crlgen_enabled():
+                # CA is not a renewal master
                 return False, []
-            else:
-                logger.warning(
-                    "CS.cfg has unknown subsystem.select value '%s', "
-                    "assuming local CA is not a renewal master", config)
-                return (False, False, [])
 
         update = {
                 'dn': dn,