From b7ad11572d3060e64252c4366d7c8afff1bc15e9 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Fri, 19 Jul 2019 14:38:58 +1000
Subject: [PATCH] dsinstance: add proflie when tracking certificate

When the DS certificate gets untracked then tracked again (via
dsinstance.start_tracking_certificate()), it loses its profile
configuration.  Although it is the default profile, we want to
retain the explicit reference.  Ensure we add the profile when
re-tracking the DS certificate.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipaserver/install/certs.py      | 6 ++++--
 ipaserver/install/dsinstance.py | 9 ++++++---
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 9c46bc324..361ff783d 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -377,14 +377,16 @@ class CertDB:
         except ipautil.CalledProcessError:
             return None
 
-    def track_server_cert(self, nickname, principal, password_file=None, command=None):
+    def track_server_cert(
+            self, nickname, principal,
+            password_file=None, command=None, profile=None):
         """
         Tell certmonger to track the given certificate nickname.
         """
         try:
             request_id = certmonger.start_tracking(
                 self.secdir, nickname=nickname, pinfile=password_file,
-                post_command=command)
+                post_command=command, profile=profile)
         except RuntimeError as e:
             logger.error("certmonger failed starting to track certificate: %s",
                          str(e))
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 81cd912c2..55e0839ae 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -1185,9 +1185,12 @@ class DsInstance(service.Service):
         dirname = config_dirname(serverid)[:-1]
         dsdb = certs.CertDB(self.realm, nssdir=dirname)
         if dsdb.is_ipa_issued_cert(api, nickname):
-            dsdb.track_server_cert(nickname, self.principal,
-                                   dsdb.passwd_fname,
-                                   'restart_dirsrv %s' % serverid)
+            dsdb.track_server_cert(
+                nickname,
+                self.principal,
+                password_file=dsdb.passwd_fname,
+                command='restart_dirsrv %s' % serverid,
+                profile=dogtag.DEFAULT_PROFILE)
         else:
             logger.debug("Will not track DS server certificate %s as it is "
                          "not issued by IPA", nickname)