URL:
https://github.com/freeipa/freeipa/pull/5338
Author: flo-renaud
Title: #5338: ipa-cert-fix: do not fail when CSR is missing from CS.cfg
Action: opened
PR body:
"""
### ipa-cert-fix: do not fail when CSR is missing from CS.cfg
When the CSR for an expired cert is not found in
/etc/pki/pki-tomcat/{ca|kra}/CS.cfg, ipa-cert-fix fails to
renew the certificate and repair the installation.
The CSR can be found using certmonger as it is stored in
/var/lib/certmonger/requests/<ID> in the "csr" attribute.
Prior to calling pki-server cert-fix, make sure that the
CSR is present in CS.cfg, or update CS.cfg with the content
found using certmonger.
Fixes:
https://pagure.io/freeipa/issue/8618
### ipatests: add a test for ipa-cert-fix
Add a new test for ipa-cert-fix issue 8618. When the CSR for one
of the certs to be renewed is missing from /etc/pki/pki-tomcat/{ca|kra}/CS.cfg
ipa-cert-fix fails to renew the certificates.
Test scenario:
move the date in the future to expire PKI system certificates (+3 years)
delete the directive ca.sslserver.certreq from CS.cfg
call ipa-cert-fix and ensure that the CSR was found
Related:
https://pagure.io/freeipa/issue/8618
### ipatests: add test_ipa_cert_fix to the nightly definitions
Add the new test test_integration/test_ipa_cert_fix.py to the
nightly definitions.
Related:
https://pagure.io/freeipa/issue/8618
"""
To pull the PR as Git branch:
git remote add ghfreeipa
https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5338/head:pr5338
git checkout pr5338