|
 |
e3ffab |
From a292db4ee5cc30161948d8e71f3b998f978ae7f9 Mon Sep 17 00:00:00 2001
|
|
|
e3ffab |
From: Jan Cholasta <jcholast@redhat.com>
|
|
|
e3ffab |
Date: Thu, 4 Dec 2014 15:34:55 +0000
|
|
|
e3ffab |
Subject: [PATCH] Do not renew the IPA CA cert by serial number in
|
|
|
e3ffab |
dogtag-ipa-ca-renew-agent
|
|
|
e3ffab |
|
|
|
e3ffab |
Always use the full CSR when renewing the IPA CA certificate with Dogtag. The
|
|
|
e3ffab |
IPA CA certificate may be issued by an external CA, in which case renewal by
|
|
|
e3ffab |
serial number does not make sense and will fail if the IPA CA was initially
|
|
|
e3ffab |
installed as a subordinate of an external CA.
|
|
|
e3ffab |
|
|
|
e3ffab |
https://fedorahosted.org/freeipa/ticket/4784
|
|
|
e3ffab |
|
|
|
e3ffab |
Reviewed-By: David Kupka <dkupka@redhat.com>
|
|
|
e3ffab |
---
|
|
|
e3ffab |
install/certmonger/dogtag-ipa-ca-renew-agent-submit | 2 +-
|
|
|
e3ffab |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
e3ffab |
|
|
|
e3ffab |
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
|
|
|
e3ffab |
index e0dd33fda6036ed2fb003a89c35eacb1784a5e25..c63c0c2c5f863e05cafad293a60d9157c732e7ad 100755
|
|
|
e3ffab |
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
|
|
|
e3ffab |
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
|
|
|
e3ffab |
@@ -147,7 +147,7 @@ def request_cert():
|
|
|
e3ffab |
path = paths.DOGTAG_IPA_RENEW_AGENT_SUBMIT
|
|
|
e3ffab |
args = [path] + sys.argv[1:]
|
|
|
e3ffab |
if os.environ.get('CERTMONGER_CA_PROFILE') == 'caCACert':
|
|
|
e3ffab |
- args += ['-O', 'bypassCAnotafter=true']
|
|
|
e3ffab |
+ args += ['-N', '-O', 'bypassCAnotafter=true']
|
|
|
e3ffab |
stdout, stderr, rc = ipautil.run(args, raiseonerr=False, env=os.environ)
|
|
|
e3ffab |
sys.stderr.write(stderr)
|
|
|
e3ffab |
sys.stderr.flush()
|
|
|
e3ffab |
--
|
|
|
e3ffab |
2.1.0
|
|
|
e3ffab |
|