diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2018-01-29 18:34:51 +1100 |
|---|---|---|
| committer | Christian Heimes <cheimes@redhat.com> | 2018-02-08 13:53:30 +0100 |
| commit | b07937d0b80c8ccc714ea62fafcc7090bbaecc23 (patch) | |
| tree | 53f9d8dfc8cc5e316fdaee6ea85cf0bde4156897 | |
| parent | 8821f7ae8e666b4ae42e232c672d616bf7fbffeb (diff) | |
| download | freeipa-b07937d0b80c8ccc714ea62fafcc7090bbaecc23.tar.gz freeipa-b07937d0b80c8ccc714ea62fafcc7090bbaecc23.tar.xz freeipa-b07937d0b80c8ccc714ea62fafcc7090bbaecc23.zip | |
Update IPA CA issuer DN upon renewal
When renewing externally-signed CA or when switching from
externally-signed to self-signed CA, the Issuer DN can change.
Update the ipaCaIssuerDn field of the IPA CA entry upon renewal, to
keep it in sync.
Fixes: https://pagure.io/freeipa/issue/7316
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
| -rw-r--r-- | ipaserver/install/ipa_cacert_manage.py | 26 |
1 files changed, 25 insertions, 1 deletions
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py index c87e8048a..ab9170f85 100644 --- a/ipaserver/install/ipa_cacert_manage.py +++ b/ipaserver/install/ipa_cacert_manage.py @@ -24,7 +24,7 @@ import os from optparse import OptionGroup # pylint: disable=deprecated-module import gssapi -from ipalib.constants import RENEWAL_CA_NAME, RENEWAL_REUSE_CA_NAME +from ipalib.constants import RENEWAL_CA_NAME, RENEWAL_REUSE_CA_NAME, IPA_CA_CN from ipalib.install import certmonger, certstore from ipapython import admintool, ipautil from ipapython.certdb import (EMPTY_TRUST_FLAGS, @@ -206,6 +206,10 @@ class CACertManage(admintool.AdminTool): self.resubmit_request() + db = certs.CertDB(api.env.realm, nssdir=paths.PKI_TOMCAT_ALIAS_DIR) + cert = db.get_cert_from_db(self.cert_nickname) + update_ipa_ca_entry(api, cert) + print("CA certificate successfully renewed") def renew_external_step_1(self, ca): @@ -327,6 +331,8 @@ class CACertManage(admintool.AdminTool): except errors.EmptyModlist: pass + update_ipa_ca_entry(api, new_cert) + try: ca.set_renewal_master() except errors.NotFound: @@ -429,3 +435,21 @@ class CACertManage(admintool.AdminTool): "Failed to install the certificate: %s" % e) print("CA certificate successfully installed") + + +def update_ipa_ca_entry(api, cert): + """ + The Issuer DN of the IPA CA may have changed. Update the IPA CA entry. + + :param api: finalised API object, with *connected* LDAP backend + :param cert: a python-cryptography Certificate object + + """ + try: + entry = api.Backend.ldap2.get_entry( + DN(('cn', IPA_CA_CN), api.env.container_ca, api.env.basedn), + ['ipacaissuerdn']) + entry['ipacaissuerdn'] = [DN(cert.issuer)] + api.Backend.ldap2.update_entry(entry) + except errors.EmptyModlist: + pass |