ipa-cacert-manage renew: switch from ext-signed CA to self-signed

The scenario switching from externally signed CA to self-signed CA is currently failing because the certmonger helper goes through the wrong code path when the cert is not self-signed. When the cert is not self-signed but the admin wants to switch to self-signed a new cert needs to be requested, not retrieved from LDAP. https://pagure.io/freeipa/issue/7173 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
frasertweedale · Oct 18, 2017 · 49cf5ec · 49cf5ec
1 parent c8dbd0c
commit 49cf5ec
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -438,7 +438,7 @@ def renew_ca_cert(reuse_existing, **kwargs):
     if operation == 'SUBMIT':
         state = 'retrieve'
 
-        if is_self_signed and not reuse_existing and is_renewal_master():
+        if not reuse_existing and is_renewal_master():
             state = 'request'
 
         csr_file = paths.IPA_CA_CSR