PKINIT: fix ipa-pkinit-manage enable|disable

The command ipa-pkinit-manage enable|disable is reporting success even though the PKINIT cert is not re-issued. The command triggers the request of a new certificate (signed by IPA CA when state=enable, selfsigned when disabled), but as the cert file is still present, certmonger does not create a new request and the existing certificate is kept. The fix consists in deleting the cert and key file before calling certmonger to request a new cert. There was also an issue in the is_pkinit_enabled() function: if no tracking request was found for the PKINIT cert, is_pkinit_enabled() was returning True while it should not. Fixes https://pagure.io/freeipa/issue/7200 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2018-11-30 15:49:20 +01:00 · 2018-11-30 15:49:20 +01:00 · a230153837
commit a230153837
parent 52c3c90875
2 changed files with 8 additions and 3 deletions
--- a/ipaserver/install/ipa_pkinit_manage.py
+++ b/ipaserver/install/ipa_pkinit_manage.py
@ -72,6 +72,8 @@ class PKINITManage(AdminTool):
                if ca_enabled:
                    logger.warning(
                        "Failed to stop tracking certificates: %s", e)
+            # remove the cert and key
+            krb.delete_pkinit_cert()

            krb.enable_ssl()

--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@ -77,7 +77,7 @@ def is_pkinit_enabled():
    if os.path.exists(paths.KDC_CERT):
        pkinit_request_ca = get_pkinit_request_ca()

-        if pkinit_request_ca != "SelfSign":
+        if pkinit_request_ca and pkinit_request_ca != "SelfSign":
            return True

    return False
@ -602,6 +602,10 @@ class KrbInstance(service.Service):
    def stop_tracking_certs(self):
        certmonger.stop_tracking(certfile=paths.KDC_CERT)

+    def delete_pkinit_cert(self):
+        installutils.remove_file(paths.KDC_CERT)
+        installutils.remove_file(paths.KDC_KEY)
+
    def uninstall(self):
        if self.is_configured():
            self.print_msg("Unconfiguring %s" % self.service_name)
@ -627,8 +631,7 @@ class KrbInstance(service.Service):
        # stop tracking and remove certificates
        self.stop_tracking_certs()
        installutils.remove_file(paths.CACERT_PEM)
-        installutils.remove_file(paths.KDC_CERT)
-        installutils.remove_file(paths.KDC_KEY)
+        self.delete_pkinit_cert()

        if running:
            self.restart()