diff options
author | Jan Cholasta <jcholast@redhat.com> | 2014-12-04 15:34:55 +0000 |
---|---|---|
committer | Petr Vobornik <pvoborni@redhat.com> | 2014-12-09 13:16:49 +0100 |
commit | 1f6fff2b5aea7f92e3321870ea59661b127ab50a (patch) | |
tree | 668dc7ccb40f98efd91de7d8ccc5e778b5e3fa0e /install/certmonger | |
parent | 423c3e8f34d6ae6655c3b82c4e5a18caf1e63a49 (diff) | |
download | freeipa-1f6fff2b5aea7f92e3321870ea59661b127ab50a.tar.gz freeipa-1f6fff2b5aea7f92e3321870ea59661b127ab50a.tar.xz freeipa-1f6fff2b5aea7f92e3321870ea59661b127ab50a.zip |
Do not renew the IPA CA cert by serial number in dogtag-ipa-ca-renew-agent
Always use the full CSR when renewing the IPA CA certificate with Dogtag. The
IPA CA certificate may be issued by an external CA, in which case renewal by
serial number does not make sense and will fail if the IPA CA was initially
installed as a subordinate of an external CA.
https://fedorahosted.org/freeipa/ticket/4784
Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'install/certmonger')
-rwxr-xr-x | install/certmonger/dogtag-ipa-ca-renew-agent-submit | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index e0dd33fda..c63c0c2c5 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -147,7 +147,7 @@ def request_cert(): path = paths.DOGTAG_IPA_RENEW_AGENT_SUBMIT args = [path] + sys.argv[1:] if os.environ.get('CERTMONGER_CA_PROFILE') == 'caCACert': - args += ['-O', 'bypassCAnotafter=true'] + args += ['-N', '-O', 'bypassCAnotafter=true'] stdout, stderr, rc = ipautil.run(args, raiseonerr=False, env=os.environ) sys.stderr.write(stderr) sys.stderr.flush() |