IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Do not renew the IPA CA cert by serial number in dogtag-ipa-ca-renew-agent

Browse Source 
Always use the full CSR when renewing the IPA CA certificate with Dogtag. The
IPA CA certificate may be issued by an external CA, in which case renewal by
serial number does not make sense and will fail if the IPA CA was initially
installed as a subordinate of an external CA.

https://fedorahosted.org/freeipa/ticket/4784

Reviewed-By: David Kupka <dkupka@redhat.com>
This commit is contained in:
Jan Cholasta 2014-12-04 15:34:55 +00:00 committed by Petr Vobornik
parent 423c3e8f34
commit 1f6fff2b5a
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
install/certmonger/dogtag-ipa-ca-renew-agent-submit
View File

@ -147,7 +147,7 @@ def request_cert():
path = paths.DOGTAG_IPA_RENEW_AGENT_SUBMIT
args = [path] + sys.argv[1:]
if os.environ.get('CERTMONGER_CA_PROFILE') == 'caCACert':
args += ['-O', 'bypassCAnotafter=true']
args += ['-N', '-O', 'bypassCAnotafter=true']
stdout, stderr, rc = ipautil.run(args, raiseonerr=False, env=os.environ)
sys.stderr.write(stderr)
sys.stderr.flush()