From 3f7d84677775bd9e237b28b08fe961a157b8b14e Mon Sep 17 00:00:00 2001
From: Aleksandr Sharov <asharov@redhat.com>
Date: Sat, 8 Mar 2025 14:55:09 +0100
Subject: [PATCH] Add a check into ipa-cert-fix tool to avoid updating certs if
 CA is close to being expired.

Fixes: https://pagure.io/freeipa/issue/9760
Signed-off-by: Aleksandr Sharov <asharov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
 ipaserver/install/ipa_cert_fix.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py
index 8e02d1e75cc4cb936b77a6c9f3f9df2b8605a58b..960d7b9e08614ff6ee23c948a0a5fa08b109627e 100644
--- a/ipaserver/install/ipa_cert_fix.py
+++ b/ipaserver/install/ipa_cert_fix.py
@@ -69,6 +69,7 @@ logger = logging.getLogger(__name__)
 
 
 cert_nicknames = {
+    'ca_issuing': 'caSigningCert cert-pki-ca',
     'sslserver': 'Server-Cert cert-pki-ca',
     'subsystem': 'subsystemCert cert-pki-ca',
     'ca_ocsp_signing': 'ocspSigningCert cert-pki-ca',
@@ -137,6 +138,16 @@ class IPACertFix(AdminTool):
             print("Nothing to do.")
             return 0
 
+        if any(key == 'ca_issuing' for key, _ in certs):
+            logger.debug("CA signing cert is expired, exiting!")
+            print(
+                "The CA signing certificate is expired or will expire within "
+                "the next two weeks.\n\nipa-cert-fix cannot proceed, please "
+                "refer to the ipa-cacert-manage tool to renew the CA "
+                "certificate before proceeding."
+            )
+            return 1
+
         print(msg)
 
         print_intentions(certs, extra_certs, non_renewed)
-- 
2.49.0