3 files changed, 33 insertions, 20 deletions

diff --git a/rpkid/rpki/rootd.py b/rpkid/rpki/rootd.py
index c7720969..ce4afd86 100644
--- a/rpkid/rpki/rootd.py
+++ b/rpkid/rpki/rootd.py
@@ -186,7 +186,9 @@ class main(object):
       rpki.log.debug("No PKCS #10 request, can't generate subject certificate yet")
       return None
     resources = self.rpki_root_cert.get_3779resources()
-    rpki.log.info("Generating subject cert with resources " + str(resources))
+    notAfter = now + self.rpki_subject_lifetime
+    rpki.log.info("Generating subject cert %s with resources %s, expires %s" % (
+      self.rpki_base_uri + self.rpki_subject_cert, resources, notAfter))
     req_key = pkcs10.getPublicKey()
     req_sia = pkcs10.get_SIA()
     self.next_serial_number()
@@ -198,7 +200,7 @@ class main(object):
       aia         = self.rpki_root_cert_uri,
       crldp       = self.rpki_base_uri + self.rpki_root_crl,
       resources   = resources,
-      notAfter    = now + self.rpki_subject_lifetime)
+      notAfter    = notAfter)
     self.set_subject_cert(subject_cert)
     self.generate_crl_and_manifest(now)
     return subject_cert
diff --git a/rpkid/rpki/rpkid.py b/rpkid/rpki/rpkid.py
index d0cd66cd..6334a9d4 100644
--- a/rpkid/rpki/rpkid.py
+++ b/rpkid/rpki/rpkid.py
@@ -477,6 +477,13 @@ class ca_obj(rpki.sql.sql_persistent):
     return ca_detail_obj.sql_fetch_where(self.gctx, "ca_id = %s AND state = 'deprecated'", (self.ca_id,))
 
   @property
+  def active_or_deprecated_ca_details(self):
+    """
+    Fetch active and deprecated ca_details for this CA, if any.
+    """
+    return ca_detail_obj.sql_fetch_where(self.gctx, "ca_id = %s AND (state = 'active' OR state = 'deprecated')", (self.ca_id,))
+
+  @property
   def revoked_ca_details(self):
     """
     Fetch revoked ca_details for this CA, if any.
@@ -618,6 +625,7 @@ class ca_obj(rpki.sql.sql_persistent):
         callback = cb,
         errback  = eb)
 
+    rpki.log.debug("Sending issue request to %r from %r" % (parent, self.create))
     rpki.up_down.issue_pdu.query(parent, self, ca_detail, done, eb)
 
   def delete(self, parent, callback):
@@ -693,6 +701,7 @@ class ca_obj(rpki.sql.sql_persistent):
         callback    = cb,
         errback     = eb)
 
+    rpki.log.debug("Sending issue request to %r from %r" % (parent, self.rekey))
     rpki.up_down.issue_pdu.query(parent, self, new_detail, done, eb)
 
   def revoke(self, cb, eb, revoke_all = False):
@@ -849,14 +858,10 @@ class ca_detail_obj(rpki.sql.sql_persistent):
         child_cert.reissue(ca_detail = self, publisher = publisher)
       for roa in predecessor.roas:
         roa.regenerate(publisher = publisher)
-
-      # Need to do something to regenerate ghostbusters here?
-      # Yes, I suspect so, since presumably we want the ghostbuster to
-      # be issued by the new ca_detail at this point.  But check code.
-
-      if predecessor.ghostbusters:
-        rpki.log.warn("Probably should be regenerating Ghostbusters %r here" % ghostbuster)
-
+      for ghostbuster in predecessor.ghostbusters:
+        ghostbuster.regenerate(publisher = publisher)
+      predecessor.generate_crl(publisher = publisher)
+      predecessor.generate_manifest(publisher = publisher)
 
     publisher.call_pubd(callback, errback)
 
@@ -973,7 +978,10 @@ class ca_detail_obj(rpki.sql.sql_persistent):
     """
 
     def issued(issue_response):
-      self.latest_ca_cert = issue_response.payload.classes[0].certs[0].cert
+      new_ca_cert = issue_response.payload.classes[0].certs[0].cert
+      if self.latest_ca_cert != new_ca_cert:
+        self.latest_ca_cert = new_ca_cert
+        self.sql_mark_dirty()
       new_resources = self.latest_ca_cert.get_3779resources()
       publisher = publication_queue()
 
@@ -988,6 +996,7 @@ class ca_detail_obj(rpki.sql.sql_persistent):
 
       publisher.call_pubd(callback, errback)
 
+    rpki.log.debug("Sending issue request to %r from %r" % (parent, self.update))
     rpki.up_down.issue_pdu.query(parent, ca, self, issued, errback)
 
   @classmethod
@@ -1025,7 +1034,6 @@ class ca_detail_obj(rpki.sql.sql_persistent):
       notAfter    = self.latest_ca_cert.getNotAfter(),
       is_ca       = False)
 
-
   def generate_manifest_cert(self):
     """
     Generate a new manifest certificate for this ca_detail.
@@ -1136,21 +1144,24 @@ class ca_detail_obj(rpki.sql.sql_persistent):
     parent = ca.parent
     crl_interval = rpki.sundial.timedelta(seconds = parent.self.crl_interval)
     now = rpki.sundial.now()
+    uri = self.manifest_uri
 
     if nextUpdate is None:
       nextUpdate = now + crl_interval
 
     if self.latest_manifest_cert is None or self.latest_manifest_cert.getNotAfter() < nextUpdate:
-      rpki.log.debug("Generating manifest certificate")
+      rpki.log.debug("Generating EE certificate for %s" % uri)
       self.generate_manifest_cert()
+      rpki.log.debug("Latest CA cert notAfter %s, new %s EE notAfter %s" % (
+        self.latest_ca_cert.getNotAfter(), uri, self.latest_manifest_cert.getNotAfter()))
 
-    rpki.log.debug("Constructing manifest object list")
+    rpki.log.debug("Constructing manifest object list for %s" % uri)
     objs = [(self.crl_uri_tail, self.latest_crl)]
     objs.extend((c.uri_tail, c.cert) for c in self.child_certs)
     objs.extend((r.uri_tail, r.roa) for r in self.roas if r.roa is not None)
     objs.extend((g.uri_tail, g.ghostbuster) for g in self.ghostbusters)
 
-    rpki.log.debug("Building manifest object")
+    rpki.log.debug("Building manifest object %s" % uri)
     self.latest_manifest = rpki.x509.SignedManifest.build(
       serial         = ca.next_manifest_number(),
       thisUpdate     = now,
@@ -1163,7 +1174,7 @@ class ca_detail_obj(rpki.sql.sql_persistent):
 
     self.manifest_published = rpki.sundial.now()
     self.sql_mark_dirty()
-    publisher.publish(cls = rpki.publication.manifest_elt, uri = self.manifest_uri, obj = self.latest_manifest, repository = parent.repository,
+    publisher.publish(cls = rpki.publication.manifest_elt, uri = uri, obj = self.latest_manifest, repository = parent.repository,
                       handler = self.manifest_published_callback)
 
   def manifest_published_callback(self, pdu):
diff --git a/rpkid/rpki/rpkid_tasks.py b/rpkid/rpki/rpkid_tasks.py
index d343012e..cc57e189 100644
--- a/rpkid/rpki/rpkid_tasks.py
+++ b/rpkid/rpki/rpkid_tasks.py
@@ -553,10 +553,10 @@ class RegnerateCRLsAndManifestsTask(AbstractTask):
           for ca_detail in ca.revoked_ca_details:
             if now > ca_detail.latest_crl.getNextUpdate():
               ca_detail.delete(ca = ca, publisher = publisher)
-          ca_detail = ca.active_ca_detail
-          if ca_detail is not None and now + regen_margin > ca_detail.latest_crl.getNextUpdate():
-            ca_detail.generate_crl(publisher = publisher)
-            ca_detail.generate_manifest(publisher = publisher)
+          for ca_detail in ca.active_or_deprecated_ca_details:
+            if now + regen_margin > ca_detail.latest_crl.getNextUpdate():
+              ca_detail.generate_crl(publisher = publisher)
+              ca_detail.generate_manifest(publisher = publisher)
         except (SystemExit, rpki.async.ExitNow):
           raise
         except Exception, e: