From 0700f4d7cae9b0b25214b117715dd91a6ccb1132 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 26 Feb 2010 12:30:01 -0500
Subject: Don't try to revoke a cert that is already revoked.

We get a bit of an unusual error message back from dogtag when trying
to revoke a revoked cert so check its status first.
---
 ipalib/plugins/service.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'ipalib/plugins/service.py')

diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index d72a42dc3..b8312ba55 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -199,9 +199,15 @@ class service_del(LDAPDelete):
             if cert:
                 serial = unicode(get_serial(cert))
                 try:
-                    self.api.Command['cert_revoke'](serial, revocation_reason=5)
+                    result = api.Command['cert_get'](unicode(serial))['result']
+                    if 'revocation_reason' not in result:
+                        try:
+                            api.Command['cert_revoke'](unicode(serial), revocation_reason=4)
+                        except errors.NotImplementedError:
+                            # some CA's might not implement revoke
+                            pass
                 except errors.NotImplementedError:
-                    # selfsign CA doesn't do revocation
+                    # some CA's might not implement revoke
                     pass
         return dn
 
-- 
cgit