diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2016-06-17 13:33:26 +1000 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2016-06-29 08:52:29 +0200 |
commit | 67f13c82d877a9909ab89d3d30eeb7c966cc09e4 (patch) | |
tree | 9695cec90c27a19d6d5b548aabbf62d9ead0cde3 | |
parent | f0b1e37d2e048b5f375ec485e2b69e722a7bc7b7 (diff) | |
download | freeipa-67f13c82d877a9909ab89d3d30eeb7c966cc09e4.tar.gz freeipa-67f13c82d877a9909ab89d3d30eeb7c966cc09e4.tar.xz freeipa-67f13c82d877a9909ab89d3d30eeb7c966cc09e4.zip |
Skip CS.cfg update if cert nickname not known
After CA certificate renewal, the ``renew_ca_cert`` helper updates
certificate data in CS.cfg. An unrecognised nickname will raise
``KeyError``. To allow the helper to be used for arbitrary
certificates (e.g. lightweight CAs), do not fail if the nickname is
unrecognised - just skip the update.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
-rw-r--r-- | ipaserver/install/cainstance.py | 5 | ||||
-rw-r--r-- | ipaserver/install/dogtaginstance.py | 7 | ||||
-rw-r--r-- | ipaserver/install/krainstance.py | 5 |
3 files changed, 9 insertions, 8 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 8be4e1f86..15433f663 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1241,8 +1241,9 @@ class CAInstance(DogtagInstance): except Exception as e: syslog.syslog(syslog.LOG_ERR, "Failed to backup CS.cfg: %s" % e) - DogtagInstance.update_cert_cs_cfg( - nickname, cert, directives, paths.CA_CS_CFG_PATH) + if nickname in directives: + DogtagInstance.update_cert_cs_cfg( + directives[nickname], cert, paths.CA_CS_CFG_PATH) def __create_ds_db(self): ''' diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 9f094d834..b65628277 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -370,21 +370,20 @@ class DogtagInstance(service.Service): cmonger.stop() @staticmethod - def update_cert_cs_cfg(nickname, cert, directives, cs_cfg): + def update_cert_cs_cfg(directive, cert, cs_cfg): """ When renewing a Dogtag subsystem certificate the configuration file needs to get the new certificate as well. - nickname is one of the known nicknames. + ``directive`` is the directive to update in CS.cfg cert is a DER-encoded certificate. - directives is the list of directives to be updated for the subsystem cs_cfg is the path to the CS.cfg file """ with stopped_service('pki-tomcatd', 'pki-tomcat'): installutils.set_directive( cs_cfg, - directives[nickname], + directive, base64.b64encode(cert), quotes=False, separator='=') diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index 67ad6544c..dc4472688 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -348,8 +348,9 @@ class KRAInstance(DogtagInstance): 'subsystemCert cert-pki-kra': 'kra.subsystem.cert', 'Server-Cert cert-pki-ca': 'kra.sslserver.cert'} - DogtagInstance.update_cert_cs_cfg( - nickname, cert, directives, paths.KRA_CS_CFG_PATH) + if nickname in directives: + DogtagInstance.update_cert_cs_cfg( + directives[nickname], cert, paths.KRA_CS_CFG_PATH) def __enable_instance(self): self.ldap_enable('KRA', self.fqdn, None, self.suffix) |