URL: https://github.com/freeipa/freeipa/pull/1032
Author: tomaskrizek
 Title: #1032: Backport PR 1002 to ipa-4-5
Action: opened

PR body:
This PR was opened automatically because PR #1002 was pushed to master and 
backport to ipa-4-5 is required.

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1032/head:pr1032
git checkout pr1032
From bbab8e36d4774a0ba3315e88c50d2eaeacb115d7 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Fri, 25 Aug 2017 14:32:42 +1000
Subject: [PATCH] Fix external renewal for CA with non-default subject DN

When running ``ipa-cacert-manage renew --external-ca`` with an IPA
CA having a subject DN that does not correspond to ``CN=Certificate
Authority, {subject-base}``, the CSR for submission to the external
CA does not generated.  dogtag-ipa-ca-renew-agent-submit is wrongly
assuming the default form of the CA subject DN.

Update dogtag-ipa-ca-renew-agent-submit to look up the actual
subject DN.

Fixes: https://pagure.io/freeipa/issue/7123
 install/certmonger/dogtag-ipa-ca-renew-agent-submit | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index 3d3e791449..e9fd2e66e5 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -46,7 +46,7 @@ from ipapython.dn import DN
 from ipalib import api, errors, x509
 from ipaplatform.paths import paths
 from ipaserver.plugins.ldap2 import ldap2
-from ipaserver.install import cainstance, dsinstance, certs
+from ipaserver.install import ca, cainstance, dsinstance, certs
 # This is a certmonger CA helper script for IPA CA subsystem cert renewal. See
 # https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/submit.txt for more
@@ -84,9 +84,10 @@ def get_nickname():
     if not subject_base:
         return None
+    ca_subject_dn = ca.lookup_ca_subject(api, subject_base)
     nickname_by_subject_dn = {
-        DN('CN=Certificate Authority', subject_base):
-            'caSigningCert cert-pki-ca',
+        DN(ca_subject_dn): 'caSigningCert cert-pki-ca',
         DN('CN=CA Audit', subject_base): 'auditSigningCert cert-pki-ca',
         DN('CN=OCSP Subsystem', subject_base): 'ocspSigningCert cert-pki-ca',
         DN('CN=CA Subsystem', subject_base): 'subsystemCert cert-pki-ca',
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to