|
 |
460745 |
From 21b0fdb48179e6060eff0ecb11ce6522983ccc00 Mon Sep 17 00:00:00 2001
|
|
|
460745 |
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
460745 |
Date: Fri, 18 Aug 2017 18:02:57 +0200
|
|
|
460745 |
Subject: [PATCH] Backport PR 988 to ipa-4-5 Fix Certificate renewal (with ext
|
|
|
460745 |
ca)
|
|
|
460745 |
|
|
|
460745 |
Fix certificate renewal scripts that use IPACertificate object:
|
|
|
460745 |
- renew_ca_cert adds the C flag to the trust flags and needs to
|
|
|
460745 |
be adapted to IPACertificate object
|
|
|
460745 |
- ipa-cacert-manage: fix python3 encoding issue
|
|
|
460745 |
|
|
|
460745 |
https://pagure.io/freeipa/issue/7106
|
|
|
460745 |
|
|
|
460745 |
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
460745 |
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
460745 |
---
|
|
|
460745 |
install/restart_scripts/renew_ca_cert | 7 ++++++-
|
|
|
460745 |
ipaserver/install/ipa_cacert_manage.py | 2 +-
|
|
|
460745 |
2 files changed, 7 insertions(+), 2 deletions(-)
|
|
|
460745 |
|
|
|
460745 |
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
|
|
|
460745 |
index bb31defc0e2bdca044e68ae067f42fb3bd41a57f..3bbf003bad47a189fd26df19e6ab137fcbb67ed0 100644
|
|
|
460745 |
--- a/install/restart_scripts/renew_ca_cert
|
|
|
460745 |
+++ b/install/restart_scripts/renew_ca_cert
|
|
|
460745 |
@@ -35,6 +35,7 @@ from ipaserver.install import certs, cainstance, installutils
|
|
|
460745 |
from ipaserver.plugins.ldap2 import ldap2
|
|
|
460745 |
from ipaplatform import services
|
|
|
460745 |
from ipaplatform.paths import paths
|
|
|
460745 |
+from ipapython.certdb import TrustFlags
|
|
|
460745 |
|
|
|
460745 |
|
|
|
460745 |
def _main():
|
|
|
460745 |
@@ -180,7 +181,11 @@ def _main():
|
|
|
460745 |
# Pass Dogtag's self-tests
|
|
|
460745 |
for ca_nick in db.find_root_cert(nickname)[-2:-1]:
|
|
|
460745 |
ca_flags = dict(cc[1:] for cc in ca_certs)[ca_nick]
|
|
|
460745 |
- db.trust_root_cert(ca_nick, 'C' + ca_flags)
|
|
|
460745 |
+ usages = ca_flags.usages or set()
|
|
|
460745 |
+ ca_flags_modified = TrustFlags(ca_flags.has_key,
|
|
|
460745 |
+ True, True,
|
|
|
460745 |
+ usages | {x509.EKU_SERVER_AUTH})
|
|
|
460745 |
+ db.trust_root_cert(ca_nick, ca_flags_modified)
|
|
|
460745 |
finally:
|
|
|
460745 |
if conn is not None and conn.isconnected():
|
|
|
460745 |
conn.disconnect()
|
|
|
460745 |
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
|
|
|
460745 |
index e88e8b63ae94759ac835f3b3b31b0735d68a67b0..fcbf09155a3abc9ce9481aa2519ed39aaa6aa9bb 100644
|
|
|
460745 |
--- a/ipaserver/install/ipa_cacert_manage.py
|
|
|
460745 |
+++ b/ipaserver/install/ipa_cacert_manage.py
|
|
|
460745 |
@@ -218,7 +218,7 @@ class CACertManage(admintool.AdminTool):
|
|
|
460745 |
cert_file, ca_file = installutils.load_external_cert(
|
|
|
460745 |
options.external_cert_files, DN(old_cert_obj.subject))
|
|
|
460745 |
|
|
|
460745 |
- with open(cert_file.name) as f:
|
|
|
460745 |
+ with open(cert_file.name, 'rb') as f:
|
|
|
460745 |
new_cert_data = f.read()
|
|
|
460745 |
new_cert_der = x509.normalize_certificate(new_cert_data)
|
|
|
460745 |
new_cert_obj = x509.load_certificate(new_cert_der, x509.DER)
|
|
|
460745 |
--
|
|
|
460745 |
2.13.5
|