To update the CA certificate in the Dogtag NSS database, the ipa-cacert-manage renew and ipa-certupdate commands temporarily change the profile of the CA certificate certmonger request, resubmit it and change the profile back to the original one.
ipa-cacert-manage renew
ipa-certupdate
When something goes wrong while resubmitting the request, it needs to be modified and resubmitted again manually. This might fail with invalid cookie error, because changing the profile does not change the internal state of the request.
Detect this in dogtag-ipa-ca-renew-agent and reset the internal state when profile is changed.
Stretch 4.1.
Patch was not reviewed in 4.1 scope, moving to 4.1.1 release.
master:
ipa-4-1:
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=886645 (Red Hat Enterprise Linux 7)
Metadata Update from @jcholast: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.1.1
Login to comment on this ticket.