diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2010-02-26 12:30:01 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2010-02-26 12:30:01 -0500 |
| commit | 0700f4d7cae9b0b25214b117715dd91a6ccb1132 (patch) | |
| tree | eb7071408ef3f481a090f66d380ddb49938e8a9e /ipalib | |
| parent | fc1313445512762acaf44b45eca9c4f98c2b824e (diff) | |
| download | freeipa-0700f4d7cae9b0b25214b117715dd91a6ccb1132.tar.gz freeipa-0700f4d7cae9b0b25214b117715dd91a6ccb1132.tar.xz freeipa-0700f4d7cae9b0b25214b117715dd91a6ccb1132.zip | |
Don't try to revoke a cert that is already revoked.
We get a bit of an unusual error message back from dogtag when trying
to revoke a revoked cert so check its status first.
Diffstat (limited to 'ipalib')
| -rw-r--r-- | ipalib/plugins/cert.py | 17 | ||||
| -rw-r--r-- | ipalib/plugins/service.py | 10 |
2 files changed, 22 insertions, 5 deletions
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index 426e6d53..e266c9ac 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -286,11 +286,18 @@ class cert_request(VirtualCommand): if 'usercertificate' in service: serial = get_serial(base64.b64encode(service['usercertificate'][0])) # revoke the certificate and remove it from the service - # entry before proceeding + # entry before proceeding. First we retrieve the certificate to + # see if it is already revoked, if not then we revoke it. try: - api.Command['cert_revoke'](unicode(serial), revocation_reason=4) + result = api.Command['cert_get'](unicode(serial))['result'] + if 'revocation_reason' not in result: + try: + api.Command['cert_revoke'](unicode(serial), revocation_reason=4) + except errors.NotImplementedError: + # some CA's might not implement revoke + pass except errors.NotImplementedError: - # some CA's might not implement revoke + # some CA's might not implement get pass api.Command['service_mod'](principal, usercertificate=None) @@ -367,6 +374,10 @@ class cert_get(VirtualCommand): label=_('Subject'), flags=['no_create', 'no_update', 'no_search'], ), + Str('revocation_reason?', + label=_('Revocation reason'), + flags=['no_create', 'no_update', 'no_search'], + ), ) operation="retrieve certificate" diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index d72a42dc..b8312ba5 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -199,9 +199,15 @@ class service_del(LDAPDelete): if cert: serial = unicode(get_serial(cert)) try: - self.api.Command['cert_revoke'](serial, revocation_reason=5) + result = api.Command['cert_get'](unicode(serial))['result'] + if 'revocation_reason' not in result: + try: + api.Command['cert_revoke'](unicode(serial), revocation_reason=4) + except errors.NotImplementedError: + # some CA's might not implement revoke + pass except errors.NotImplementedError: - # selfsign CA doesn't do revocation + # some CA's might not implement revoke pass return dn |