IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-23 07:33:27 -06:00
Code Issues Packages Projects Releases Wiki Activity
769180c2c6
freeipa/ipalib
History
Fraser Tweedale 769180c2c6 Do not renew externally-signed CA as self-signed 
Commit 49cf5ec64b fixed a bug that
prevented migration from externally-signed to self-signed IPA CA.
But it introduced a subtle new issue: certmonger-initiated renewal
renews an externally-signed IPA CA as a self-signed CA.

To resolve this issue, introduce the `--force-self-signed' flag for
the dogtag-ipa-ca-renew-agent script.  Add another certmonger CA
definition that calls this script with the `--force-self-signed'
flag.  Update dogtag-ipa-ca-renew-agent to only issue a self-signed
CA certificate if the existing certificate is self-signed or if
`--force-self-signed' was given.  Update `ipa-cacert-manage renew'
to supply `--force-self-signed' when appropriate.

As a result of these changes, certmonger-initiated renewal of an
externally-signed IPA CA certificate will not issue a self-signed
certificate.

Fixes: https://pagure.io/freeipa/issue/8176
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-01-29 21:47:14 +11:00
..
install Fix errors found by Pylint-2.4.3 2019-10-21 18:01:32 +11:00
__init__.py Fix errors found by Pylint-2.4.3 2019-10-21 18:01:32 +11:00
aci.py Py3: Replace six.string_types with str 2018-09-27 16:11:18 +02:00
backend.py Fix Pylint 2.0 violations 2018-07-14 12:04:19 +02:00
base.py Py3: Replace six.string_types with str 2018-09-27 16:11:18 +02:00
capabilities.py Replace LooseVersion 2016-11-24 15:46:40 +01:00
cli.py make sure IPA_CONFDIR is used to check that client is configured 2019-01-10 11:24:08 +01:00
config.py Don't hard-code client's TLS versions and ciphers 2019-12-02 16:48:07 +01:00
constants.py Do not renew externally-signed CA as self-signed 2020-01-29 21:47:14 +11:00
crud.py ipalib, ipaserver: fix incorrect API.register calls in docstrings 2016-05-25 16:06:26 +02:00
dns.py dnsrecord-mod: allow to modify ttl without passing the record 2019-07-01 09:16:21 +02:00
errors.py Require UTF-8 fs encoding 2017-11-21 16:13:28 +01:00
frontend.py Fixed errors newly exposed by pylint 2.4.0 2019-09-25 20:14:06 +10:00
krb_utils.py Allow login to WebUI using Kerberos aliases/enterprise principals 2017-03-08 15:56:11 +01:00
Makefile.am Build: Makefiles for Python packages 2016-11-09 13:08:32 +01:00
messages.py Handle missing LWCA certificate or chain 2019-06-18 10:36:24 +10:00
misc.py Add fix for ipa plugins command 2017-02-17 10:22:07 +01:00
output.py Generate same API.txt under Python 2 and 3 2018-02-15 09:41:30 +01:00
parameters.py DNParam: raise Exception when multiple values provided to a 1-val param 2019-11-20 11:15:28 +01:00
pkcs10.py Remove pkcs10 module contents 2017-10-25 09:46:41 +02:00
plugable.py Removed unnecessary imports after code review. 2019-09-27 09:38:32 +02:00
request.py Py3: Remove subclassing from object 2018-09-27 11:49:04 +02:00
rpc.py rpc: always read response 2018-11-07 08:39:42 +01:00
setup.cfg Port all setup.py to setuptools 2016-10-20 18:43:37 +02:00
setup.py Cleanup shebang and executable bit 2018-07-05 19:46:42 +02:00
text.py Py3: Remove subclassing from object 2018-09-27 11:49:04 +02:00
util.py Fix logic of check_client_configuration 2019-12-05 15:09:38 +01:00
x509.py move MSCSTemplate classes to ipalib 2019-07-17 17:58:58 +03:00