From 977a01a67318a9b0ce01f7803b1126a310bf4140 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Fri, 30 Nov 2018 15:49:20 +0100
Subject: [PATCH] PKINIT: fix ipa-pkinit-manage enable|disable

The command ipa-pkinit-manage enable|disable is reporting
success even though the PKINIT cert is not re-issued.
The command triggers the request of a new certificate
(signed by IPA CA when state=enable, selfsigned when disabled),
but as the cert file is still present, certmonger does not create
a new request and the existing certificate is kept.

The fix consists in deleting the cert and key file before calling
certmonger to request a new cert.

There was also an issue in the is_pkinit_enabled() function:
if no tracking request was found for the PKINIT cert,
is_pkinit_enabled() was returning True while it should not.

Fixes https://pagure.io/freeipa/issue/7200

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
 ipaserver/install/ipa_pkinit_manage.py | 2 ++
 ipaserver/install/krbinstance.py       | 9 ++++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/ipa_pkinit_manage.py b/ipaserver/install/ipa_pkinit_manage.py
index 4a79bba5d1b636827a7a031965b49cf7b34c6330..86bd1baf00178a629864b210ca9f4786668149df 100644
--- a/ipaserver/install/ipa_pkinit_manage.py
+++ b/ipaserver/install/ipa_pkinit_manage.py
@@ -72,6 +72,8 @@ class PKINITManage(AdminTool):
                 if ca_enabled:
                     logger.warning(
                         "Failed to stop tracking certificates: %s", e)
+            # remove the cert and key
+            krb.delete_pkinit_cert()
 
             krb.enable_ssl()
 
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index a3079bd6304a41116f9aa5e78b6c6c71d72d7aa6..6221f3f61338308afb406e23d62566b12d8c131d 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -77,7 +77,7 @@ def is_pkinit_enabled():
     if os.path.exists(paths.KDC_CERT):
         pkinit_request_ca = get_pkinit_request_ca()
 
-        if pkinit_request_ca != "SelfSign":
+        if pkinit_request_ca and pkinit_request_ca != "SelfSign":
             return True
 
     return False
@@ -591,6 +591,10 @@ class KrbInstance(service.Service):
     def stop_tracking_certs(self):
         certmonger.stop_tracking(certfile=paths.KDC_CERT)
 
+    def delete_pkinit_cert(self):
+        installutils.remove_file(paths.KDC_CERT)
+        installutils.remove_file(paths.KDC_KEY)
+
     def uninstall(self):
         if self.is_configured():
             self.print_msg("Unconfiguring %s" % self.service_name)
@@ -616,8 +620,7 @@ class KrbInstance(service.Service):
         # stop tracking and remove certificates
         self.stop_tracking_certs()
         installutils.remove_file(paths.CACERT_PEM)
-        installutils.remove_file(paths.KDC_CERT)
-        installutils.remove_file(paths.KDC_KEY)
+        self.delete_pkinit_cert()
 
         if running:
             self.restart()
-- 
2.17.2