|
 |
483b06 |
From 55e779b19714532744c8b22e514e9e49563350e3 Mon Sep 17 00:00:00 2001
|
|
|
483b06 |
From: Jan Cholasta <jcholast@redhat.com>
|
|
|
483b06 |
Date: Mon, 24 Apr 2017 05:24:24 +0000
|
|
|
483b06 |
Subject: [PATCH] renew agent: respect CA renewal master setting
|
|
|
483b06 |
|
|
|
483b06 |
Do not bypass the renewal master check when a non-virtual profile is used
|
|
|
483b06 |
in dogtag-ipa-ca-renew-agent-submit.
|
|
|
483b06 |
|
|
|
483b06 |
This fixes dogtag-ipa-ca-renew-agent not respecting the CA renewal master
|
|
|
483b06 |
setting for certificates tracked with a real profile. (Note that there
|
|
|
483b06 |
currently aren't any such certificates tracked by us.)
|
|
|
483b06 |
|
|
|
483b06 |
Request the RA certificate using dogtag-submit rather than
|
|
|
483b06 |
dogtag-ipa-ca-renew-agent-submit as the CA renewal master setting is not
|
|
|
483b06 |
available so early in the install process.
|
|
|
483b06 |
|
|
|
483b06 |
https://pagure.io/freeipa/issue/5799
|
|
|
483b06 |
|
|
|
483b06 |
Reviewed-By: David Kupka <dkupka@redhat.com>
|
|
|
483b06 |
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
483b06 |
---
|
|
|
483b06 |
install/certmonger/dogtag-ipa-ca-renew-agent-submit | 2 +-
|
|
|
483b06 |
ipaserver/install/cainstance.py | 2 +-
|
|
|
483b06 |
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
|
483b06 |
|
|
|
483b06 |
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
|
|
|
483b06 |
index 7a3d9551884c0fe43566dd9012699211a39294eb..f253fd9587ac1ef3ece712ca9999c1ea4f3d55d8 100755
|
|
|
483b06 |
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
|
|
|
483b06 |
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
|
|
|
483b06 |
@@ -535,7 +535,7 @@ def main():
|
|
|
483b06 |
|
|
|
483b06 |
profile = os.environ.get('CERTMONGER_CA_PROFILE')
|
|
|
483b06 |
if is_replicated():
|
|
|
483b06 |
- if profile or is_renewal_master():
|
|
|
483b06 |
+ if is_renewal_master():
|
|
|
483b06 |
handler = request_and_store_cert
|
|
|
483b06 |
else:
|
|
|
483b06 |
handler = retrieve_cert_continuous
|
|
|
483b06 |
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
|
|
483b06 |
index d72feb884964ecf49fe0166cbfeb3cb2c10737fe..97baa606c960806376e025b5654eea816da207ed 100644
|
|
|
483b06 |
--- a/ipaserver/install/cainstance.py
|
|
|
483b06 |
+++ b/ipaserver/install/cainstance.py
|
|
|
483b06 |
@@ -822,7 +822,7 @@ class CAInstance(DogtagInstance):
|
|
|
483b06 |
"-out", chain_file.name,
|
|
|
483b06 |
], stdin=data, capture_output=False)
|
|
|
483b06 |
|
|
|
483b06 |
- agent_args = [paths.DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT,
|
|
|
483b06 |
+ agent_args = [paths.CERTMONGER_DOGTAG_SUBMIT,
|
|
|
483b06 |
"--dbdir", self.tmp_agent_db,
|
|
|
483b06 |
"--nickname", "ipa-ca-agent",
|
|
|
483b06 |
"--cafile", chain_file.name,
|
|
|
483b06 |
--
|
|
|
483b06 |
2.9.3
|
|
|
483b06 |
|