Update IPA CA issuer DN upon renewal

When renewing externally-signed CA or when switching from externally-signed to self-signed CA, the Issuer DN can change. Update the ipaCaIssuerDn field of the IPA CA entry upon renewal, to keep it in sync. Fixes: https://pagure.io/freeipa/issue/7316 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2025-02-25 18:55:28 -06:00 · 2018-01-29 18:34:51 +11:00
parent 8821f7ae8e
commit b07937d0b8
1 changed files with 25 additions and 1 deletions
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -24,7 +24,7 @@ import os
 from optparse import OptionGroup  # pylint: disable=deprecated-module
 import gssapi

-from ipalib.constants import RENEWAL_CA_NAME, RENEWAL_REUSE_CA_NAME
+from ipalib.constants import RENEWAL_CA_NAME, RENEWAL_REUSE_CA_NAME, IPA_CA_CN
 from ipalib.install import certmonger, certstore
 from ipapython import admintool, ipautil
 from ipapython.certdb import (EMPTY_TRUST_FLAGS,
@@ -206,6 +206,10 @@ class CACertManage(admintool.AdminTool):

        self.resubmit_request()

+        db = certs.CertDB(api.env.realm, nssdir=paths.PKI_TOMCAT_ALIAS_DIR)
+        cert = db.get_cert_from_db(self.cert_nickname)
+        update_ipa_ca_entry(api, cert)
+
        print("CA certificate successfully renewed")

    def renew_external_step_1(self, ca):
@@ -327,6 +331,8 @@ class CACertManage(admintool.AdminTool):
        except errors.EmptyModlist:
            pass

+        update_ipa_ca_entry(api, new_cert)
+
        try:
            ca.set_renewal_master()
        except errors.NotFound:
@@ -429,3 +435,21 @@ class CACertManage(admintool.AdminTool):
                "Failed to install the certificate: %s" % e)

        print("CA certificate successfully installed")
+
+
+def update_ipa_ca_entry(api, cert):
+    """
+    The Issuer DN of the IPA CA may have changed.  Update the IPA CA entry.
+
+    :param api: finalised API object, with *connected* LDAP backend
+    :param cert: a python-cryptography Certificate object
+
+    """
+    try:
+        entry = api.Backend.ldap2.get_entry(
+            DN(('cn', IPA_CA_CN), api.env.container_ca, api.env.basedn),
+            ['ipacaissuerdn'])
+        entry['ipacaissuerdn'] = [DN(cert.issuer)]
+        api.Backend.ldap2.update_entry(entry)
+    except errors.EmptyModlist:
+        pass