From 6173c49c14c9ce625dc153b7332f3b6a6a7d0a47 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Charlier?= <francois.charlier@redhat.com>
Date: Mon, 11 Jan 2021 11:32:14 +0100
Subject: [PATCH] Get the intermediate certificate whenever needed

The intermediate certificate was currently retrieved locally only for
the 1st certificate generation.

This causes issues when the intermediate cerficiate changes (recent
change from X3 to R3) and the certificates just need to be renewed.

This patch moves the retrieval of the intermediate certificate along
with the certificate creation to be sure the former exists before being
attached to the latter.
---
 lecm/certificate.py | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/lecm/certificate.py b/lecm/certificate.py
index 963aa8d..8381025 100644
--- a/lecm/certificate.py
+++ b/lecm/certificate.py
@@ -105,14 +105,15 @@ def _create_filesystem(self):
                 utils.enforce_selinux_context(self.path)
 
     def _get_intermediate_certificate(self):
-        certificate = requests.get(_INTERMEDIATE_CERTIFICATE_URL).text
         certificate_name = os.path.basename(_INTERMEDIATE_CERTIFICATE_URL)
-
-        LOG.info('[global] Getting intermediate certificate PEM file: %s' %
-                 certificate_name)
         if not os.path.exists('%s/pem/%s' % (self.path, certificate_name)):
-            with open('%s/pem/%s' % (self.path, certificate_name), 'w') as f:
-                f.write(certificate)
+            certificate = requests.get(_INTERMEDIATE_CERTIFICATE_URL).text
+
+            LOG.info('[global] Getting intermediate certificate PEM file: %s' %
+                     certificate_name)
+            if not os.path.exists('%s/pem/%s' % (self.path, certificate_name)):
+                with open('%s/pem/%s' % (self.path, certificate_name), 'w') as f:
+                    f.write(certificate)
 
     def _create_account_key(self):
         account_key = crypto.PKey()
@@ -257,6 +258,7 @@ def _create_certificate(self):
 
             LOG.debug('[%s] Concatenating certificate with intermediate pem: \
                       %s/pem/%s.pem' % (self.name, self.path, self.name))
+            self._get_intermediate_certificate()
             pem_filename = os.path.basename(_INTERMEDIATE_CERTIFICATE_URL)
             filenames = ['%s/certs/%s.crt' % (self.path, self.name),
                          '%s/pem/%s' % (self.path, pem_filename)]
@@ -287,10 +289,6 @@ def generate(self):
 
         self._create_filesystem()
 
-        certificate_name = os.path.basename(_INTERMEDIATE_CERTIFICATE_URL)
-        if not os.path.exists('%s/pem/%s' % (self.path, certificate_name)):
-            self._get_intermediate_certificate()
-
         # Ensure there is no left-over from previous setup
         #
         try: