880d21b828
- Allow the admin user to be disabled Resolves: RHEL-34756 - ipa-otptoken-import: open the key file in binary mode Resolves: RHEL-39616 - ipa-crlgen-manage: manage the cert status task execution time Resolves: RHEL-30280 - idrange-add: add a warning because 389ds restart is required Resolves: RHEL-28996 - PKINIT certificate: fix renewal on hidden replica Resolves: RHEL-4913, RHEL-45908 Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
59 lines
2.4 KiB
Diff
59 lines
2.4 KiB
Diff
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
|
|
index 619be83..9be1b67 100644
|
|
--- a/ipaserver/plugins/cert.py
|
|
+++ b/ipaserver/plugins/cert.py
|
|
@@ -55,7 +55,7 @@ from ipapython.dn import DN
|
|
from ipapython.ipautil import datetime_from_utctimestamp
|
|
from ipaserver.plugins.service import normalize_principal, validate_realm
|
|
from ipaserver.masters import (
|
|
- ENABLED_SERVICE, CONFIGURED_SERVICE, is_service_enabled
|
|
+ ENABLED_SERVICE, CONFIGURED_SERVICE, HIDDEN_SERVICE, is_service_enabled
|
|
)
|
|
|
|
try:
|
|
@@ -300,7 +300,7 @@ def caacl_check(principal, ca, profile_id):
|
|
def ca_kdc_check(api_instance, hostname):
|
|
master_dn = api_instance.Object.server.get_dn(unicode(hostname))
|
|
kdc_dn = DN(('cn', 'KDC'), master_dn)
|
|
- wanted = {ENABLED_SERVICE, CONFIGURED_SERVICE}
|
|
+ wanted = {ENABLED_SERVICE, CONFIGURED_SERVICE, HIDDEN_SERVICE}
|
|
try:
|
|
kdc_entry = api_instance.Backend.ldap2.get_entry(
|
|
kdc_dn, ['ipaConfigString'])
|
|
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
|
|
index b71f2d5..7ef44c5 100644
|
|
--- a/ipatests/test_integration/test_replica_promotion.py
|
|
+++ b/ipatests/test_integration/test_replica_promotion.py
|
|
@@ -26,6 +26,7 @@ from ipalib.constants import (
|
|
)
|
|
from ipaplatform.paths import paths
|
|
from ipapython import certdb
|
|
+from ipatests.test_integration.test_cert import get_certmonger_fs_id
|
|
from ipatests.test_integration.test_dns_locations import (
|
|
resolve_records_from_server, IPA_DEFAULT_MASTER_SRV_REC
|
|
)
|
|
@@ -1241,6 +1242,23 @@ class TestHiddenReplicaPromotion(IntegrationTest):
|
|
'ipa-crlgen-manage', 'status'])
|
|
assert "CRL generation: enabled" in result.stdout_text
|
|
|
|
+ def test_hidden_replica_renew_pkinit_cert(self):
|
|
+ """Renew the PKINIT cert on a hidden replica.
|
|
+
|
|
+ Test for https://pagure.io/freeipa/issue/9611
|
|
+ """
|
|
+ # Get Request ID
|
|
+ cmd = ['getcert', 'list', '-f', paths.KDC_CERT]
|
|
+ result = self.replicas[0].run_command(cmd)
|
|
+ req_id = get_certmonger_fs_id(result.stdout_text)
|
|
+
|
|
+ self.replicas[0].run_command([
|
|
+ 'getcert', 'resubmit', '-f', paths.KDC_CERT
|
|
+ ])
|
|
+ tasks.wait_for_certmonger_status(
|
|
+ self.replicas[0], ('MONITORING'), req_id, timeout=600
|
|
+ )
|
|
+
|
|
|
|
class TestHiddenReplicaKRA(IntegrationTest):
|
|
"""Test KRA & hidden replica features.
|