From ac6eee670d8a753e66ba69a65eff55447fff2822 Mon Sep 17 00:00:00 2001 From: Aleksandr Sharov Date: Mar 25 2025 09:33:06 +0000 Subject: Add a check into ipa-cert-fix tool to avoid updating certs if CA is close to being expired. Fixes: https://pagure.io/freeipa/issue/9760 Signed-off-by: Aleksandr Sharov Reviewed-By: Rob Crittenden Reviewed-By: Florence Blanc-Renaud --- diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py index 8e02d1e..960d7b9 100644 --- a/ipaserver/install/ipa_cert_fix.py +++ b/ipaserver/install/ipa_cert_fix.py @@ -69,6 +69,7 @@ logger = logging.getLogger(__name__) cert_nicknames = { + 'ca_issuing': 'caSigningCert cert-pki-ca', 'sslserver': 'Server-Cert cert-pki-ca', 'subsystem': 'subsystemCert cert-pki-ca', 'ca_ocsp_signing': 'ocspSigningCert cert-pki-ca', @@ -137,6 +138,16 @@ class IPACertFix(AdminTool): print("Nothing to do.") return 0 + if any(key == 'ca_issuing' for key, _ in certs): + logger.debug("CA signing cert is expired, exiting!") + print( + "The CA signing certificate is expired or will expire within " + "the next two weeks.\n\nipa-cert-fix cannot proceed, please " + "refer to the ipa-cacert-manage tool to renew the CA " + "certificate before proceeding." + ) + return 1 + print(msg) print_intentions(certs, extra_certs, non_renewed)