URL: https://github.com/freeipa/freeipa/pull/1021 Author: flo-renaud Title: #1021: Backport PR 988 to ipa-4-5 Action: opened
PR body: """ Fix Certificate renewal (with ext ca) Fix certificate renewal scripts that use IPACertificate object: - renew_ca_cert adds the C flag to the trust flags and needs to be adapted to IPACertificate object - ipa-cacert-manage: fix python3 encoding issue https://pagure.io/freeipa/issue/7106 Reviewed-By: Fraser Tweedale <ftwee...@redhat.com> Reviewed-By: Stanislav Laznicka <slazn...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1021/head:pr1021 git checkout pr1021
From 50e54be5fcb378cca0b9d675095e969587775a4a Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Fri, 18 Aug 2017 18:02:57 +0200 Subject: [PATCH] Backport PR 988 to ipa-4-5 Fix Certificate renewal (with ext ca) Fix certificate renewal scripts that use IPACertificate object: - renew_ca_cert adds the C flag to the trust flags and needs to be adapted to IPACertificate object - ipa-cacert-manage: fix python3 encoding issue https://pagure.io/freeipa/issue/7106 Reviewed-By: Fraser Tweedale <ftwee...@redhat.com> Reviewed-By: Stanislav Laznicka <slazn...@redhat.com> --- install/restart_scripts/renew_ca_cert | 7 ++++++- ipaserver/install/ipa_cacert_manage.py | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index bb31defc0e..3bbf003bad 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -35,6 +35,7 @@ from ipaserver.install import certs, cainstance, installutils from ipaserver.plugins.ldap2 import ldap2 from ipaplatform import services from ipaplatform.paths import paths +from ipapython.certdb import TrustFlags def _main(): @@ -180,7 +181,11 @@ def _main(): # Pass Dogtag's self-tests for ca_nick in db.find_root_cert(nickname)[-2:-1]: ca_flags = dict(cc[1:] for cc in ca_certs)[ca_nick] - db.trust_root_cert(ca_nick, 'C' + ca_flags) + usages = ca_flags.usages or set() + ca_flags_modified = TrustFlags(ca_flags.has_key, + True, True, + usages | {x509.EKU_SERVER_AUTH}) + db.trust_root_cert(ca_nick, ca_flags_modified) finally: if conn is not None and conn.isconnected(): conn.disconnect() diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py index e88e8b63ae..fcbf09155a 100644 --- a/ipaserver/install/ipa_cacert_manage.py +++ b/ipaserver/install/ipa_cacert_manage.py @@ -218,7 +218,7 @@ def renew_external_step_2(self, ca, old_cert_der): cert_file, ca_file = installutils.load_external_cert( options.external_cert_files, DN(old_cert_obj.subject)) - with open(cert_file.name) as f: + with open(cert_file.name, 'rb') as f: new_cert_data = f.read() new_cert_der = x509.normalize_certificate(new_cert_data) new_cert_obj = x509.load_certificate(new_cert_der, x509.DER)
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org