From 9f4c6ea1bc1efdb103007ffa2b7f33162864d1a9 Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Tue, 26 Nov 2024 16:06:01 -0300
Subject: [PATCH] fix: Workaround getcert issue when cert key-file is missing

When trying to resubmit a certificate request that had the key file
removed, "getcert" hangs indefinitely, causing the role to not respond.

This workaround checks if the private key file has been removed and
fails ressubmiting the certificate request until the situation is fixed,
by the user, using 'getcert stop-tracking --id <cert ID>'.
---
 .../certificate_lsr/providers/certmonger.py        | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/module_utils/certificate_lsr/providers/certmonger.py b/module_utils/certificate_lsr/providers/certmonger.py
index 3023fed..b8072ff 100644
--- a/module_utils/certificate_lsr/providers/certmonger.py
+++ b/module_utils/certificate_lsr/providers/certmonger.py
@@ -40,6 +40,8 @@
     HAS_DBUS = True
     DBUS_IMPORT_ERROR = None
 
+import os
+
 from ansible.module_utils.certificate_lsr.providers import base
 
 
@@ -254,6 +256,18 @@ def request_certificate(self):
         command = [getcert_bin]
 
         if self.exists_in_certmonger:
+            # if certificate exists in certmonger and key-file is missing,
+            # reissuing the certificate will hang certmonger.
+            # See: https://issues.redhat.com/browse/RHEL-69043
+            keyfile = self._certmonger_metadata.get("key-file")
+            if keyfile and not os.path.isfile(keyfile):
+                self.module.fail_json(
+                    "Resubmiting a request without the private key "
+                    "file may hang certmonger. Please, stop monitoring "
+                    "certificate '{0}' before reissuing.".format(
+                        self._certmonger_metadata.get("nickname")
+                    )
+                )
             command += ["resubmit"]
         else:
             command += ["request"]