URL: https://github.com/freeipa/freeipa/pull/1002 Author: frasertweedale Title: #1002: Fix external renewal for CA with non-default subject DN Action: opened
PR body: """ When running ``ipa-cacert-manage renew --external-ca`` with an IPA CA having a subject DN that does not correspond to ``CN=Certificate Authority, {subject-base}``, the CSR for submission to the external CA does not generated. dogtag-ipa-ca-renew-agent-submit is wrongly assuming the default form of the CA subject DN. Update dogtag-ipa-ca-renew-agent-submit to look up the actual subject DN. Fixes: https://pagure.io/freeipa/issue/7123 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1002/head:pr1002 git checkout pr1002
From e61069058c31f99e6500e4388cfa2c63bb7cbd11 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Fri, 25 Aug 2017 14:32:42 +1000 Subject: [PATCH] Fix external renewal for CA with non-default subject DN When running ``ipa-cacert-manage renew --external-ca`` with an IPA CA having a subject DN that does not correspond to ``CN=Certificate Authority, {subject-base}``, the CSR for submission to the external CA does not generated. dogtag-ipa-ca-renew-agent-submit is wrongly assuming the default form of the CA subject DN. Update dogtag-ipa-ca-renew-agent-submit to look up the actual subject DN. Fixes: https://pagure.io/freeipa/issue/7123 --- install/certmonger/dogtag-ipa-ca-renew-agent-submit | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 8d94fe2ec1..85c249a11b 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -45,7 +45,7 @@ from ipapython.dn import DN from ipalib import api, errors, x509 from ipaplatform.paths import paths from ipaserver.plugins.ldap2 import ldap2 -from ipaserver.install import cainstance, dsinstance, certs +from ipaserver.install import ca, cainstance, dsinstance, certs # This is a certmonger CA helper script for IPA CA subsystem cert renewal. See # https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/submit.txt for more @@ -99,9 +99,10 @@ def get_nickname(): if not subject_base: return None + ca_subject_dn = ca.lookup_ca_subject(api, subject_base) + nickname_by_subject_dn = { - DN('CN=Certificate Authority', subject_base): - 'caSigningCert cert-pki-ca', + DN(ca_subject_dn): 'caSigningCert cert-pki-ca', DN('CN=CA Audit', subject_base): 'auditSigningCert cert-pki-ca', DN('CN=OCSP Subsystem', subject_base): 'ocspSigningCert cert-pki-ca', DN('CN=CA Subsystem', subject_base): 'subsystemCert cert-pki-ca',
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org