URL: https://github.com/freeipa/freeipa/pull/1548
Author: tiran
 Title: #1548: [Backport][ipa-4-6] Update IPA CA issuer DN upon renewal
Action: opened

PR body:
"""
This PR was opened automatically because PR #1503 was pushed to master and 
backport to ipa-4-6 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1548/head:pr1548
git checkout pr1548
From f5ff6767206e9b25c0aad49474a7ab70005f16b5 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Mon, 29 Jan 2018 18:34:51 +1100
Subject: [PATCH] Update IPA CA issuer DN upon renewal

When renewing externally-signed CA or when switching from
externally-signed to self-signed CA, the Issuer DN can change.
Update the ipaCaIssuerDn field of the IPA CA entry upon renewal, to
keep it in sync.

Fixes: https://pagure.io/freeipa/issue/7316
---
 ipaserver/install/ipa_cacert_manage.py | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
index c87e8048af..ab9170f851 100644
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -24,7 +24,7 @@
 from optparse import OptionGroup  # pylint: disable=deprecated-module
 import gssapi
 
-from ipalib.constants import RENEWAL_CA_NAME, RENEWAL_REUSE_CA_NAME
+from ipalib.constants import RENEWAL_CA_NAME, RENEWAL_REUSE_CA_NAME, IPA_CA_CN
 from ipalib.install import certmonger, certstore
 from ipapython import admintool, ipautil
 from ipapython.certdb import (EMPTY_TRUST_FLAGS,
@@ -206,6 +206,10 @@ def renew_self_signed(self, ca):
 
         self.resubmit_request()
 
+        db = certs.CertDB(api.env.realm, nssdir=paths.PKI_TOMCAT_ALIAS_DIR)
+        cert = db.get_cert_from_db(self.cert_nickname)
+        update_ipa_ca_entry(api, cert)
+
         print("CA certificate successfully renewed")
 
     def renew_external_step_1(self, ca):
@@ -327,6 +331,8 @@ def renew_external_step_2(self, ca, old_cert):
         except errors.EmptyModlist:
             pass
 
+        update_ipa_ca_entry(api, new_cert)
+
         try:
             ca.set_renewal_master()
         except errors.NotFound:
@@ -429,3 +435,21 @@ def install(self):
                 "Failed to install the certificate: %s" % e)
 
         print("CA certificate successfully installed")
+
+
+def update_ipa_ca_entry(api, cert):
+    """
+    The Issuer DN of the IPA CA may have changed.  Update the IPA CA entry.
+
+    :param api: finalised API object, with *connected* LDAP backend
+    :param cert: a python-cryptography Certificate object
+
+    """
+    try:
+        entry = api.Backend.ldap2.get_entry(
+            DN(('cn', IPA_CA_CN), api.env.container_ca, api.env.basedn),
+            ['ipacaissuerdn'])
+        entry['ipacaissuerdn'] = [DN(cert.issuer)]
+        api.Backend.ldap2.update_entry(entry)
+    except errors.EmptyModlist:
+        pass
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to