From 977a01a67318a9b0ce01f7803b1126a310bf4140 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Fri, 30 Nov 2018 15:49:20 +0100 Subject: [PATCH] PKINIT: fix ipa-pkinit-manage enable|disable The command ipa-pkinit-manage enable|disable is reporting success even though the PKINIT cert is not re-issued. The command triggers the request of a new certificate (signed by IPA CA when state=enable, selfsigned when disabled), but as the cert file is still present, certmonger does not create a new request and the existing certificate is kept. The fix consists in deleting the cert and key file before calling certmonger to request a new cert. There was also an issue in the is_pkinit_enabled() function: if no tracking request was found for the PKINIT cert, is_pkinit_enabled() was returning True while it should not. Fixes https://pagure.io/freeipa/issue/7200 Reviewed-By: Alexander Bokovoy Reviewed-By: Christian Heimes --- ipaserver/install/ipa_pkinit_manage.py | 2 ++ ipaserver/install/krbinstance.py | 9 ++++++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/ipa_pkinit_manage.py b/ipaserver/install/ipa_pkinit_manage.py index 4a79bba5d1b636827a7a031965b49cf7b34c6330..86bd1baf00178a629864b210ca9f4786668149df 100644 --- a/ipaserver/install/ipa_pkinit_manage.py +++ b/ipaserver/install/ipa_pkinit_manage.py @@ -72,6 +72,8 @@ class PKINITManage(AdminTool): if ca_enabled: logger.warning( "Failed to stop tracking certificates: %s", e) + # remove the cert and key + krb.delete_pkinit_cert() krb.enable_ssl() diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index a3079bd6304a41116f9aa5e78b6c6c71d72d7aa6..6221f3f61338308afb406e23d62566b12d8c131d 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -77,7 +77,7 @@ def is_pkinit_enabled(): if os.path.exists(paths.KDC_CERT): pkinit_request_ca = get_pkinit_request_ca() - if pkinit_request_ca != "SelfSign": + if pkinit_request_ca and pkinit_request_ca != "SelfSign": return True return False @@ -591,6 +591,10 @@ class KrbInstance(service.Service): def stop_tracking_certs(self): certmonger.stop_tracking(certfile=paths.KDC_CERT) + def delete_pkinit_cert(self): + installutils.remove_file(paths.KDC_CERT) + installutils.remove_file(paths.KDC_KEY) + def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring %s" % self.service_name) @@ -616,8 +620,7 @@ class KrbInstance(service.Service): # stop tracking and remove certificates self.stop_tracking_certs() installutils.remove_file(paths.CACERT_PEM) - installutils.remove_file(paths.KDC_CERT) - installutils.remove_file(paths.KDC_KEY) + self.delete_pkinit_cert() if running: self.restart() -- 2.17.2