Hi,

the attached patch should fix <https://fedorahosted.org/freeipa/ticket/3805>. I haven't actually tested the patch, as I didn't manage to successfully install old Fedora with FreeIPA which uses separate DS instances and upgrade that to Fedora 19.


Simo, you opened the ticket, would you mind testing the patch? It should be sufficient to resubmit certmonger requests which use renew_ca_cert and renew_ra_cert and see if it works.

Honza

--
Jan Cholasta
>From 78cd239cd6bbe84d1c80cc856df23b7a3ce03154 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 22 Jul 2013 12:03:55 +0000
Subject: [PATCH] Use configured dogtag LDAP port instead of default one when
 renewing certs.

https://fedorahosted.org/freeipa/ticket/3805
---
 install/restart_scripts/renew_ca_cert | 3 ++-
 install/restart_scripts/renew_ra_cert | 6 +++++-
 ipaserver/install/cainstance.py       | 3 +--
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index 5768db3..678842c 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -50,6 +50,7 @@ api.finalize()
 configured_constants = dogtag.configured_constants(api)
 alias_dir = configured_constants.ALIAS_DIR
 dogtag_instance = configured_constants.PKI_INSTANCE_NAME
+dogtag_uri = 'ldap://localhost:%d' % configured_constants.DS_PORT
 
 # Fetch the new certificate
 db = certs.CertDB(api.env.realm, nssdir=alias_dir)
@@ -86,7 +87,7 @@ finally:
 update_cert_config(nickname, cert)
 
 if nickname == 'subsystemCert cert-pki-ca':
-    update_people_entry('pkidbuser', cert)
+    update_people_entry(dogtag_uri, 'pkidbuser', cert)
 
 if nickname == 'auditSigningCert cert-pki-ca':
     # Fix trust on the audit cert
diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert
index e541e4b..49fbfac 100644
--- a/install/restart_scripts/renew_ra_cert
+++ b/install/restart_scripts/renew_ra_cert
@@ -26,6 +26,7 @@ import syslog
 import time
 from ipapython import services as ipaservices
 from ipapython import ipautil
+from ipapython import dogtag
 from ipaserver.install import certs
 from ipaserver.install.cainstance import update_people_entry
 from ipalib import api
@@ -36,12 +37,15 @@ from ipaserver.plugins.ldap2 import ldap2
 api.bootstrap(context='restart')
 api.finalize()
 
+configured_constants = dogtag.configured_constants(api)
+dogtag_uri = 'ldap://localhost:%d' % configured_constants.DS_PORT
+
 # Fetch the new certificate
 db = certs.CertDB(api.env.realm)
 dercert = db.get_cert_from_db('ipaCert', pem=False)
 
 # Load it into dogtag
-update_people_entry('ipara', dercert)
+update_people_entry(dogtag_uri, 'ipara', dercert)
 
 attempts = 0
 updated = False
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index ca3ee69..6f4f396 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1707,7 +1707,7 @@ def update_cert_config(nickname, cert):
                                 base64.b64encode(cert),
                                 quotes=False, separator='=')
 
-def update_people_entry(uid, dercert):
+def update_people_entry(dogtag_uri, uid, dercert):
     """
     Update the userCerticate for an entry in the dogtag ou=People. This
     is needed when a certificate is renewed.
@@ -1725,7 +1725,6 @@ def update_people_entry(uid, dercert):
     issuer = x509.get_issuer(dercert, datatype=x509.DER)
 
     attempts = 0
-    dogtag_uri='ldap://localhost:%d' % DEFAULT_DSPORT
     updated = False
 
     try:
-- 
1.8.3.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to