From 62a382e2c81e585eabdee2d4ff5a801402667991 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 24 Jan 2025 12:45:37 -0600 Subject: [PATCH] Clean up log messages in pki-server cert-fix --- base/server/python/pki/server/__init__.py | 19 ++++++++------- base/server/python/pki/server/cli/cert.py | 27 ++++++++++------------ base/server/python/pki/server/instance.py | 9 +++----- base/server/python/pki/server/subsystem.py | 2 +- 4 files changed, 27 insertions(+), 30 deletions(-) diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py index e1315617320..27cedb133ef 100644 --- a/base/server/python/pki/server/__init__.py +++ b/base/server/python/pki/server/__init__.py @@ -1773,6 +1773,8 @@ def renew_certificate(connection, output, serial): :rtype: None """ + logger.info('Renewing cert %s', hex(serial)) + # Instantiate the CertClient cert_client = pki.cert.CertClient(connection) @@ -1786,10 +1788,10 @@ def renew_certificate(connection, output, serial): request_data = ret[0].request cert_data = ret[0].cert - logger.info('Request ID: %s', request_data.request_id) - logger.info('Request Status: %s', request_data.request_status) - logger.debug('request_data: %s', request_data) - logger.debug('cert_data: %s', cert_data) + logger.info('- request ID: %s', hex(int(request_data.request_id))) + logger.info('- request status: %s', request_data.request_status) + logger.debug('- request data: %s', request_data) + logger.debug('- cert data: %s', cert_data) if not cert_data: raise PKIServerException('Unable to renew system ' @@ -1801,13 +1803,14 @@ def renew_certificate(connection, output, serial): raise PKIServerException('Unable to retrieve serial number of ' 'renewed certificate.') - logger.info('Serial Number: %s', cert_serial_number) - logger.info('Issuer: %s', cert_data.issuer_dn) - logger.info('Subject: %s', cert_data.subject_dn) - logger.debug('Pretty Print:') + logger.info('- serial number: %s', cert_serial_number) + logger.info('- issuer: %s', cert_data.issuer_dn) + logger.info('- subject: %s', cert_data.subject_dn) logger.debug(cert_data.pretty_repr) new_cert_data = cert_client.get_cert(cert_serial_number=cert_serial_number) + + logger.info('Storing cert into %s', output) with open(output, 'w', encoding='utf-8') as f: f.write(new_cert_data.encoded) diff --git a/base/server/python/pki/server/cli/cert.py b/base/server/python/pki/server/cli/cert.py index 80d648979d2..40000c99222 100644 --- a/base/server/python/pki/server/cli/cert.py +++ b/base/server/python/pki/server/cli/cert.py @@ -30,7 +30,6 @@ import sys from tempfile import NamedTemporaryFile import textwrap -import time from six.moves.urllib.parse import quote # pylint: disable=F0401,E0611 @@ -1317,8 +1316,8 @@ def execute(self, argv, args=None): fix_certs.append(cert['id']) - logger.info('Fixing the following system certs: %s', fix_certs) - logger.info('Renewing the following additional certs: %s', extra_certs) + logger.info('Fixing certs: %s', ', '.join(fix_certs)) + logger.info('Additional certs: %s', ', '.join(extra_certs)) # Get the CA subsystem and find out Base DN. ca_subsystem = instance.get_subsystem('ca') @@ -1332,8 +1331,8 @@ def execute(self, argv, args=None): dm_pass = getpass.getpass(prompt='Enter Directory Manager password: ') # 2. Stop the server, if it's up - logger.info('Stopping the instance to proceed with system cert renewal') - instance.stop() + logger.info('Stopping PKI server') + instance.stop(wait=True) # 3. Find the subsystem and disable Self-tests try: @@ -1428,11 +1427,11 @@ def execute(self, argv, args=None): # 8. Delete existing certs and then import the renewed system cert(s) for cert_id in fix_certs: # Delete the existing cert from the instance - logger.debug('Removing old %s cert from instance %s', cert_id, instance_name) + logger.info('Removing old %s cert from NSS database', cert_id) instance.cert_del(cert_id) # Import this new cert into the instance - logger.debug('Importing new %s cert into instance %s', cert_id, instance_name) + logger.info('Importing new %s cert into NSS database', cert_id) instance.cert_import(cert_id) # If subsystem cert was renewed and server was using @@ -1460,8 +1459,8 @@ def execute(self, argv, args=None): subprocess.check_call(cmd) # 10. Bring up the server - logger.info('Starting the instance with renewed certs') - instance.start() + logger.info('Starting PKI server with renewed certs') + instance.start(wait=True) except pki.server.PKIServerException as e: logger.error(str(e)) @@ -1498,15 +1497,13 @@ def suppress_selftest(subsystems): @contextmanager def start_stop(instance): """Start the server, run the block, and guarantee stop afterwards.""" - logger.info('Starting the instance') - instance.start() - logger.info('Sleeping for 10 seconds to allow server time to start...') - time.sleep(10) + logger.info('Starting PKI server') + instance.start(wait=True) try: yield finally: - logger.info('Stopping the instance') - instance.stop() + logger.info('Stopping PKI server') + instance.stop(wait=True) @contextmanager diff --git a/base/server/python/pki/server/instance.py b/base/server/python/pki/server/instance.py index 1f9c497aa09..093d7fa76c4 100644 --- a/base/server/python/pki/server/instance.py +++ b/base/server/python/pki/server/instance.py @@ -907,12 +907,12 @@ def cert_create( if temp_cert: assert subsystem is not None # temp_cert only supported with cert_id - logger.info('Trying to create a new temp cert for %s.', cert_id) + logger.info('Creating temp cert for %s', cert_id) # Create Temp Cert and write it to new_cert_file subsystem.temp_cert_create(nssdb, cert_tag, serial, new_cert_file) - logger.info('Temp cert for %s is available at %s.', cert_id, new_cert_file) + logger.info('Storing temp cert into %s', new_cert_file) else: # Create permanent certificate @@ -920,7 +920,7 @@ def cert_create( # TODO: Support rekey raise pki.server.PKIServerException('Rekey is not supported yet.') - logger.info('Trying to setup a secure connection to CA subsystem.') + logger.debug('Setting up secure connection to CA') if username and password: connection = pki.server.PKIServer.setup_password_authentication( username, password, subsystem_name='ca', secure_port=secure_port, @@ -938,11 +938,8 @@ def cert_create( tmpdir=tmpdir, secure_port=secure_port ) - logger.info('Secure connection with CA is established.') - logger.info('Placing cert creation request for serial: %s', serial) pki.server.PKIServer.renew_certificate(connection, new_cert_file, serial) - logger.info('New cert is available at: %s', new_cert_file) finally: nssdb.close() diff --git a/base/server/python/pki/server/subsystem.py b/base/server/python/pki/server/subsystem.py index cd5e8ad30dd..9f5e73528f4 100644 --- a/base/server/python/pki/server/subsystem.py +++ b/base/server/python/pki/server/subsystem.py @@ -1070,7 +1070,7 @@ def temp_cert_create(self, nssdb, cert_tag, serial, new_cert_file): :return: None :rtype: None """ - logger.info('Generate temp SSL certificate') + logger.debug('Generating temp SSL certificate') if cert_tag != 'sslserver': raise pki.server.PKIServerException(