|
 |
86baa9 |
From 1952fb1c90b444f7ecb0057451d5deb599df3d5f Mon Sep 17 00:00:00 2001
|
|
|
86baa9 |
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
86baa9 |
Date: Mon, 27 May 2019 10:00:32 +1000
|
|
|
86baa9 |
Subject: [PATCH] ipa-cert-fix: fix spurious renewal master change
|
|
|
86baa9 |
|
|
|
86baa9 |
We only want to become the renewal master if we actually renewed a
|
|
|
86baa9 |
shared certificate. But there is a bug in the logic; even if the
|
|
|
86baa9 |
only Dogtag certificate to be renewed is the 'sslserver' (a
|
|
|
86baa9 |
non-shared certificate), the renewal master will be reset. Fix the
|
|
|
86baa9 |
bug.
|
|
|
86baa9 |
|
|
|
86baa9 |
A static type system would have excluded this bug.
|
|
|
86baa9 |
|
|
|
86baa9 |
Part of: https://pagure.io/freeipa/issue/7885
|
|
|
86baa9 |
|
|
|
86baa9 |
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
86baa9 |
---
|
|
|
86baa9 |
ipaserver/install/ipa_cert_fix.py | 2 +-
|
|
|
86baa9 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
86baa9 |
|
|
|
86baa9 |
diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py
|
|
|
86baa9 |
index 5d5668b1d89115adcda167222ffc38a0caa690a2..fff054c230c414fdf10eef1cf1b00697a63e386a 100644
|
|
|
86baa9 |
--- a/ipaserver/install/ipa_cert_fix.py
|
|
|
86baa9 |
+++ b/ipaserver/install/ipa_cert_fix.py
|
|
|
86baa9 |
@@ -128,7 +128,7 @@ class IPACertFix(AdminTool):
|
|
|
86baa9 |
replicate_dogtag_certs(subject_base, ca_subject_dn, certs)
|
|
|
86baa9 |
install_ipa_certs(subject_base, ca_subject_dn, extra_certs)
|
|
|
86baa9 |
|
|
|
86baa9 |
- if any(x != 'sslserver' for x in certs) \
|
|
|
86baa9 |
+ if any(x[0] != 'sslserver' for x in certs) \
|
|
|
86baa9 |
or any(x[0] is IPACertType.IPARA for x in extra_certs):
|
|
|
86baa9 |
# we renewed a "shared" certificate, therefore we must
|
|
|
86baa9 |
# become the renewal master
|
|
|
86baa9 |
--
|
|
|
86baa9 |
2.20.1
|
|
|
86baa9 |
|