From a292db4ee5cc30161948d8e71f3b998f978ae7f9 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Thu, 4 Dec 2014 15:34:55 +0000
Subject: [PATCH] Do not renew the IPA CA cert by serial number in
 dogtag-ipa-ca-renew-agent

Always use the full CSR when renewing the IPA CA certificate with Dogtag. The
IPA CA certificate may be issued by an external CA, in which case renewal by
serial number does not make sense and will fail if the IPA CA was initially
installed as a subordinate of an external CA.

https://fedorahosted.org/freeipa/ticket/4784

Reviewed-By: David Kupka <dkupka@redhat.com>
---
 install/certmonger/dogtag-ipa-ca-renew-agent-submit | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index e0dd33fda6036ed2fb003a89c35eacb1784a5e25..c63c0c2c5f863e05cafad293a60d9157c732e7ad 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -147,7 +147,7 @@ def request_cert():
     path = paths.DOGTAG_IPA_RENEW_AGENT_SUBMIT
     args = [path] + sys.argv[1:]
     if os.environ.get('CERTMONGER_CA_PROFILE') == 'caCACert':
-        args += ['-O', 'bypassCAnotafter=true']
+        args += ['-N', '-O', 'bypassCAnotafter=true']
     stdout, stderr, rc = ipautil.run(args, raiseonerr=False, env=os.environ)
     sys.stderr.write(stderr)
     sys.stderr.flush()
-- 
2.1.0