dsinstance: add proflie when tracking certificate

When the DS certificate gets untracked then tracked again (via dsinstance.start_tracking_certificate()), it loses its profile configuration. Although it is the default profile, we want to retain the explicit reference. Ensure we add the profile when re-tracking the DS certificate. Part of: https://pagure.io/freeipa/issue/7991 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-07-19 14:38:58 +10:00 · 2019-07-19 14:38:58 +10:00 · b7ad11572d
commit b7ad11572d
parent f5822e3a25
2 changed files with 10 additions and 5 deletions
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@ -377,14 +377,16 @@ class CertDB:
        except ipautil.CalledProcessError:
            return None

-    def track_server_cert(self, nickname, principal, password_file=None, command=None):
+    def track_server_cert(
+            self, nickname, principal,
+            password_file=None, command=None, profile=None):
        """
        Tell certmonger to track the given certificate nickname.
        """
        try:
            request_id = certmonger.start_tracking(
                self.secdir, nickname=nickname, pinfile=password_file,
-                post_command=command)
+                post_command=command, profile=profile)
        except RuntimeError as e:
            logger.error("certmonger failed starting to track certificate: %s",
                         str(e))
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@ -1185,9 +1185,12 @@ class DsInstance(service.Service):
        dirname = config_dirname(serverid)[:-1]
        dsdb = certs.CertDB(self.realm, nssdir=dirname)
        if dsdb.is_ipa_issued_cert(api, nickname):
-            dsdb.track_server_cert(nickname, self.principal,
-                                   dsdb.passwd_fname,
-                                   'restart_dirsrv %s' % serverid)
+            dsdb.track_server_cert(
+                nickname,
+                self.principal,
+                password_file=dsdb.passwd_fname,
+                command='restart_dirsrv %s' % serverid,
+                profile=dogtag.DEFAULT_PROFILE)
        else:
            logger.debug("Will not track DS server certificate %s as it is "
                         "not issued by IPA", nickname)