ipa-cert-fix: fix spurious renewal master change

We only want to become the renewal master if we actually renewed a shared certificate. But there is a bug in the logic; even if the only Dogtag certificate to be renewed is the 'sslserver' (a non-shared certificate), the renewal master will be reset. Fix the bug. A static type system would have excluded this bug. Part of: https://pagure.io/freeipa/issue/7885 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-05-27 09:55:25 +10:00 · 2019-05-27 09:55:25 +10:00 · 162dce1c70
commit 162dce1c70
parent 582cc7da1d
1 changed files with 1 additions and 1 deletions
--- a/ipaserver/install/ipa_cert_fix.py
+++ b/ipaserver/install/ipa_cert_fix.py
@ -128,7 +128,7 @@ class IPACertFix(AdminTool):
        replicate_dogtag_certs(subject_base, ca_subject_dn, certs)
        install_ipa_certs(subject_base, ca_subject_dn, extra_certs)

-        if any(x != 'sslserver' for x in certs) \
+        if any(x[0] != 'sslserver' for x in certs) \
                or any(x[0] is IPACertType.IPARA for x in extra_certs):
            # we renewed a "shared" certificate, therefore we must
            # become the renewal master