ad1545
From 977a01a67318a9b0ce01f7803b1126a310bf4140 Mon Sep 17 00:00:00 2001
ad1545
From: Florence Blanc-Renaud <flo@redhat.com>
ad1545
Date: Fri, 30 Nov 2018 15:49:20 +0100
ad1545
Subject: [PATCH] PKINIT: fix ipa-pkinit-manage enable|disable
ad1545
ad1545
The command ipa-pkinit-manage enable|disable is reporting
ad1545
success even though the PKINIT cert is not re-issued.
ad1545
The command triggers the request of a new certificate
ad1545
(signed by IPA CA when state=enable, selfsigned when disabled),
ad1545
but as the cert file is still present, certmonger does not create
ad1545
a new request and the existing certificate is kept.
ad1545
ad1545
The fix consists in deleting the cert and key file before calling
ad1545
certmonger to request a new cert.
ad1545
ad1545
There was also an issue in the is_pkinit_enabled() function:
ad1545
if no tracking request was found for the PKINIT cert,
ad1545
is_pkinit_enabled() was returning True while it should not.
ad1545
ad1545
Fixes https://pagure.io/freeipa/issue/7200
ad1545
ad1545
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ad1545
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ad1545
---
ad1545
 ipaserver/install/ipa_pkinit_manage.py | 2 ++
ad1545
 ipaserver/install/krbinstance.py       | 9 ++++++---
ad1545
 2 files changed, 8 insertions(+), 3 deletions(-)
ad1545
ad1545
diff --git a/ipaserver/install/ipa_pkinit_manage.py b/ipaserver/install/ipa_pkinit_manage.py
ad1545
index 4a79bba5d1b636827a7a031965b49cf7b34c6330..86bd1baf00178a629864b210ca9f4786668149df 100644
ad1545
--- a/ipaserver/install/ipa_pkinit_manage.py
ad1545
+++ b/ipaserver/install/ipa_pkinit_manage.py
ad1545
@@ -72,6 +72,8 @@ class PKINITManage(AdminTool):
ad1545
                 if ca_enabled:
ad1545
                     logger.warning(
ad1545
                         "Failed to stop tracking certificates: %s", e)
ad1545
+            # remove the cert and key
ad1545
+            krb.delete_pkinit_cert()
ad1545
 
ad1545
             krb.enable_ssl()
ad1545
 
ad1545
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
ad1545
index a3079bd6304a41116f9aa5e78b6c6c71d72d7aa6..6221f3f61338308afb406e23d62566b12d8c131d 100644
ad1545
--- a/ipaserver/install/krbinstance.py
ad1545
+++ b/ipaserver/install/krbinstance.py
ad1545
@@ -77,7 +77,7 @@ def is_pkinit_enabled():
ad1545
     if os.path.exists(paths.KDC_CERT):
ad1545
         pkinit_request_ca = get_pkinit_request_ca()
ad1545
 
ad1545
-        if pkinit_request_ca != "SelfSign":
ad1545
+        if pkinit_request_ca and pkinit_request_ca != "SelfSign":
ad1545
             return True
ad1545
 
ad1545
     return False
ad1545
@@ -591,6 +591,10 @@ class KrbInstance(service.Service):
ad1545
     def stop_tracking_certs(self):
ad1545
         certmonger.stop_tracking(certfile=paths.KDC_CERT)
ad1545
 
ad1545
+    def delete_pkinit_cert(self):
ad1545
+        installutils.remove_file(paths.KDC_CERT)
ad1545
+        installutils.remove_file(paths.KDC_KEY)
ad1545
+
ad1545
     def uninstall(self):
ad1545
         if self.is_configured():
ad1545
             self.print_msg("Unconfiguring %s" % self.service_name)
ad1545
@@ -616,8 +620,7 @@ class KrbInstance(service.Service):
ad1545
         # stop tracking and remove certificates
ad1545
         self.stop_tracking_certs()
ad1545
         installutils.remove_file(paths.CACERT_PEM)
ad1545
-        installutils.remove_file(paths.KDC_CERT)
ad1545
-        installutils.remove_file(paths.KDC_KEY)
ad1545
+        self.delete_pkinit_cert()
ad1545
 
ad1545
         if running:
ad1545
             self.restart()
ad1545
-- 
ad1545
2.17.2
ad1545