|
|
ad1545 |
From 977a01a67318a9b0ce01f7803b1126a310bf4140 Mon Sep 17 00:00:00 2001
|
|
|
ad1545 |
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
ad1545 |
Date: Fri, 30 Nov 2018 15:49:20 +0100
|
|
|
ad1545 |
Subject: [PATCH] PKINIT: fix ipa-pkinit-manage enable|disable
|
|
|
ad1545 |
|
|
|
ad1545 |
The command ipa-pkinit-manage enable|disable is reporting
|
|
|
ad1545 |
success even though the PKINIT cert is not re-issued.
|
|
|
ad1545 |
The command triggers the request of a new certificate
|
|
|
ad1545 |
(signed by IPA CA when state=enable, selfsigned when disabled),
|
|
|
ad1545 |
but as the cert file is still present, certmonger does not create
|
|
|
ad1545 |
a new request and the existing certificate is kept.
|
|
|
ad1545 |
|
|
|
ad1545 |
The fix consists in deleting the cert and key file before calling
|
|
|
ad1545 |
certmonger to request a new cert.
|
|
|
ad1545 |
|
|
|
ad1545 |
There was also an issue in the is_pkinit_enabled() function:
|
|
|
ad1545 |
if no tracking request was found for the PKINIT cert,
|
|
|
ad1545 |
is_pkinit_enabled() was returning True while it should not.
|
|
|
ad1545 |
|
|
|
ad1545 |
Fixes https://pagure.io/freeipa/issue/7200
|
|
|
ad1545 |
|
|
|
ad1545 |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
ad1545 |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
ad1545 |
---
|
|
|
ad1545 |
ipaserver/install/ipa_pkinit_manage.py | 2 ++
|
|
|
ad1545 |
ipaserver/install/krbinstance.py | 9 ++++++---
|
|
|
ad1545 |
2 files changed, 8 insertions(+), 3 deletions(-)
|
|
|
ad1545 |
|
|
|
ad1545 |
diff --git a/ipaserver/install/ipa_pkinit_manage.py b/ipaserver/install/ipa_pkinit_manage.py
|
|
|
ad1545 |
index 4a79bba5d1b636827a7a031965b49cf7b34c6330..86bd1baf00178a629864b210ca9f4786668149df 100644
|
|
|
ad1545 |
--- a/ipaserver/install/ipa_pkinit_manage.py
|
|
|
ad1545 |
+++ b/ipaserver/install/ipa_pkinit_manage.py
|
|
|
ad1545 |
@@ -72,6 +72,8 @@ class PKINITManage(AdminTool):
|
|
|
ad1545 |
if ca_enabled:
|
|
|
ad1545 |
logger.warning(
|
|
|
ad1545 |
"Failed to stop tracking certificates: %s", e)
|
|
|
ad1545 |
+ # remove the cert and key
|
|
|
ad1545 |
+ krb.delete_pkinit_cert()
|
|
|
ad1545 |
|
|
|
ad1545 |
krb.enable_ssl()
|
|
|
ad1545 |
|
|
|
ad1545 |
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
|
|
|
ad1545 |
index a3079bd6304a41116f9aa5e78b6c6c71d72d7aa6..6221f3f61338308afb406e23d62566b12d8c131d 100644
|
|
|
ad1545 |
--- a/ipaserver/install/krbinstance.py
|
|
|
ad1545 |
+++ b/ipaserver/install/krbinstance.py
|
|
|
ad1545 |
@@ -77,7 +77,7 @@ def is_pkinit_enabled():
|
|
|
ad1545 |
if os.path.exists(paths.KDC_CERT):
|
|
|
ad1545 |
pkinit_request_ca = get_pkinit_request_ca()
|
|
|
ad1545 |
|
|
|
ad1545 |
- if pkinit_request_ca != "SelfSign":
|
|
|
ad1545 |
+ if pkinit_request_ca and pkinit_request_ca != "SelfSign":
|
|
|
ad1545 |
return True
|
|
|
ad1545 |
|
|
|
ad1545 |
return False
|
|
|
ad1545 |
@@ -591,6 +591,10 @@ class KrbInstance(service.Service):
|
|
|
ad1545 |
def stop_tracking_certs(self):
|
|
|
ad1545 |
certmonger.stop_tracking(certfile=paths.KDC_CERT)
|
|
|
ad1545 |
|
|
|
ad1545 |
+ def delete_pkinit_cert(self):
|
|
|
ad1545 |
+ installutils.remove_file(paths.KDC_CERT)
|
|
|
ad1545 |
+ installutils.remove_file(paths.KDC_KEY)
|
|
|
ad1545 |
+
|
|
|
ad1545 |
def uninstall(self):
|
|
|
ad1545 |
if self.is_configured():
|
|
|
ad1545 |
self.print_msg("Unconfiguring %s" % self.service_name)
|
|
|
ad1545 |
@@ -616,8 +620,7 @@ class KrbInstance(service.Service):
|
|
|
ad1545 |
# stop tracking and remove certificates
|
|
|
ad1545 |
self.stop_tracking_certs()
|
|
|
ad1545 |
installutils.remove_file(paths.CACERT_PEM)
|
|
|
ad1545 |
- installutils.remove_file(paths.KDC_CERT)
|
|
|
ad1545 |
- installutils.remove_file(paths.KDC_KEY)
|
|
|
ad1545 |
+ self.delete_pkinit_cert()
|
|
|
ad1545 |
|
|
|
ad1545 |
if running:
|
|
|
ad1545 |
self.restart()
|
|
|
ad1545 |
--
|
|
|
ad1545 |
2.17.2
|
|
|
ad1545 |
|