fix: Workaround getcert issue when cert key-file is missing

When trying to resubmit a certificate request that had the key file removed, "getcert" hangs indefinitely, causing the role to not respond. This workaround checks if the private key file has been removed and fails ressubmiting the certificate request until the situation is fixed, by the user, using 'getcert stop-tracking --id <cert ID>'.
linux-system-roles · Nov 26, 2024 · 9f4c6ea · 9f4c6ea
1 parent c5fb693
commit 9f4c6ea
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/module_utils/certificate_lsr/providers/certmonger.py b/module_utils/certificate_lsr/providers/certmonger.py
@@ -40,6 +40,8 @@
     HAS_DBUS = True
     DBUS_IMPORT_ERROR = None
 
+import os
+
 from ansible.module_utils.certificate_lsr.providers import base
 
 
@@ -254,6 +256,18 @@ def request_certificate(self):
         command = [getcert_bin]
 
         if self.exists_in_certmonger:
+            # if certificate exists in certmonger and key-file is missing,
+            # reissuing the certificate will hang certmonger.
+            # See: https://issues.redhat.com/browse/RHEL-69043
+            keyfile = self._certmonger_metadata.get("key-file")
+            if keyfile and not os.path.isfile(keyfile):
+                self.module.fail_json(
+                    "Resubmiting a request without the private key "
+                    "file may hang certmonger. Please, stop monitoring "
+                    "certificate '{0}' before reissuing.".format(
+                        self._certmonger_metadata.get("nickname")
+                    )
+                )
             command += ["resubmit"]
         else:
             command += ["request"]