freeipa

Clone
Source Code
GIT

a230153 PKINIT: fix ipa-pkinit-manage enable|disable

Authored and Committed by frenaud 5 years ago
raw patch tree parent
2 files changed. 8 lines added. 3 lines removed.
ipaserver/install/ipa_pkinit_manage.py
file modified
+2 -0
ipaserver/install/krbinstance.py
file modified
+6 -3 
    PKINIT: fix ipa-pkinit-manage enable|disable
    
    The command ipa-pkinit-manage enable|disable is reporting
    success even though the PKINIT cert is not re-issued.
    The command triggers the request of a new certificate
    (signed by IPA CA when state=enable, selfsigned when disabled),
    but as the cert file is still present, certmonger does not create
    a new request and the existing certificate is kept.
    
    The fix consists in deleting the cert and key file before calling
    certmonger to request a new cert.
    
    There was also an issue in the is_pkinit_enabled() function:
    if no tracking request was found for the PKINIT cert,
    is_pkinit_enabled() was returning True while it should not.
    
    Fixes https://pagure.io/freeipa/issue/7200
    
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
file modified
+2 -0
file modified
+6 -3
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.