From c8e3fdeb0015f9c52c64816d6cd39279c5d3ad5a Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Jun 26 2024 05:36:53 +0000 Subject: PKINIT certificate: fix renewal on hidden replica The renewal of PKINIT cert on hidden replica is failing because of a test ensuring that the KDC service is either enabled or configured. The test needs to be extended and allow hidden, too. Fixes: https://pagure.io/freeipa/issue/9611 Signed-off-by: Florence Blanc-Renaud Reviewed-By: Rob Crittenden --- diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index df415c3..6249c6d 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -55,7 +55,7 @@ from ipapython.dn import DN from ipapython.ipautil import datetime_from_utctimestamp from ipaserver.plugins.service import normalize_principal, validate_realm from ipaserver.masters import ( - ENABLED_SERVICE, CONFIGURED_SERVICE, is_service_enabled + ENABLED_SERVICE, CONFIGURED_SERVICE, HIDDEN_SERVICE, is_service_enabled ) try: @@ -300,7 +300,7 @@ def caacl_check(principal, ca, profile_id): def ca_kdc_check(api_instance, hostname): master_dn = api_instance.Object.server.get_dn(unicode(hostname)) kdc_dn = DN(('cn', 'KDC'), master_dn) - wanted = {ENABLED_SERVICE, CONFIGURED_SERVICE} + wanted = {ENABLED_SERVICE, CONFIGURED_SERVICE, HIDDEN_SERVICE} try: kdc_entry = api_instance.Backend.ldap2.get_entry( kdc_dn, ['ipaConfigString'])