freeipa · rcritten · May 25, 2023 · Jul 19, 2023 · flo-renaud · Sep 25, 2023
diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py
@@ -33,7 +33,7 @@
 from ipapython import ipaldap
 from ipalib import api, errors
 from ipaserver.install import certs, dsinstance, installutils, krbinstance
-from ipaserver.install import cainstance
+from ipaserver.install import cainstance, httpinstance
 
 
 class ServerCertInstall(admintool.AdminTool):
@@ -138,6 +138,8 @@ def run(self):
         api.Backend.ldap2.disconnect()
 
     def install_dirsrv_cert(self):
+        from ipaserver.plugins.service import revoke_certs
+
         serverid = ipaldap.realm_to_serverid(api.env.realm)
         dirname = dsinstance.config_dirname(serverid)
 
@@ -147,21 +149,35 @@ def install_dirsrv_cert(self):
                                ['nssslpersonalityssl'])
         old_cert = entry.single_value['nssslpersonalityssl']
 
-        server_cert = self.import_cert(dirname, self.options.pin,
-                                       old_cert, 'ldap/%s' % api.env.host,
-                                       'restart_dirsrv %s' % serverid)
+        nickname, cert = self.import_cert(dirname, self.options.pin,
+                                          old_cert, 'ldap/%s' % api.env.host,
+                                          'restart_dirsrv %s' % serverid)
 
-        entry['nssslpersonalityssl'] = [server_cert]
+        entry['nssslpersonalityssl'] = [nickname]
         try:
             conn.update_entry(entry)
         except errors.EmptyModlist:
             pass
 
+        ds = dsinstance.DsInstance()
+        ds.suffix = api.env.basedn
+        ds.realm = api.env.realm
+        ds.fqdn = api.env.host
+        ds.service_prefix = 'ldap'
+        ds.cert = cert
+        name = f'{ds.service_prefix}/{ds.fqdn}'
+        oldcerts = api.Command.cert_find(service=name)['result']
+        ds.add_cert_to_service(append=False)
+
+        revoke_certs(oldcerts)
+
     def replace_http_cert(self):
         """
         Replace the current HTTP cert-key pair with another one
         from a PKCS#12 file
         """
+        from ipaserver.plugins.service import revoke_certs
+
         # pass in `host_name` to perform
         # `NSSDatabase.verify_server_cert_validity()``
         cert, key, ca_cert = self.load_pkcs12(
@@ -184,6 +200,18 @@ def replace_http_cert(self):
                 req_id, 'HTTP/{host}'.format(host=api.env.host))
             certmonger.add_subject(req_id, str(DN(cert.subject)))
 
+        http = httpinstance.HTTPInstance()
+        http.suffix = api.env.basedn
+        http.realm = api.env.realm
+        http.fqdn = api.env.host
+        http.service_prefix = 'HTTP'
+        http.cert = cert
+        name = f'{http.service_prefix}/{http.fqdn}'
+        oldcerts = api.Command.cert_find(service=name)['result']
+        http.add_cert_to_service(append=False)
+
+        revoke_certs(oldcerts)
+
     def replace_kdc_cert(self):
         # pass in `realm` to perform `NSSDatabase.verify_kdc_cert_validity()`
         cert, key, ca_cert = self.load_pkcs12(
@@ -314,7 +342,8 @@ def import_cert(self, dirname, pkcs12_passwd, old_cert, principal, command):
             cdb.import_pkcs12(pkcs12_file.name, pin)
             news = cdb.find_server_certs()
             server_certs = [item for item in news if item not in prevs]
-            server_cert = server_certs[0][0]
+            nickname = server_certs[0][0]
+            cert = cdb.get_cert_from_db(nickname)
 
             if ca_enabled:
                 # Start tracking only if the cert was issued by IPA CA
@@ -323,11 +352,11 @@ def import_cert(self, dirname, pkcs12_passwd, old_cert, principal, command):
                     get_ca_nickname(api.env.realm))
                 # And compare with the CA which signed this certificate
                 if ca_cert == ipa_ca_cert:
-                    cdb.track_server_cert(server_cert,
+                    cdb.track_server_cert(nickname,
                                           principal,
                                           cdb.passwd_fname,
                                           command)
         except RuntimeError as e:
             raise admintool.ScriptError(str(e))
 
-        return server_cert
+        return nickname, cert
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
@@ -503,7 +503,7 @@ def add_autobind_entry(self, user, group, principal):
 
         return dn
 
-    def add_cert_to_service(self):
+    def add_cert_to_service(self, append=True):
         """
         Add a certificate to a service
 
@@ -513,7 +513,10 @@ def add_cert_to_service(self):
             raise ValueError("{} has no cert".format(self.service_name))
         dn = self.get_principal_dn()
         entry = api.Backend.ldap2.get_entry(dn)
-        entry.setdefault('userCertificate', []).append(self.cert)
+        if append:
+            entry.setdefault('userCertificate', []).append(self.cert)
+        else:
+            entry['userCertificate'] = self.cert
         try:
             api.Backend.ldap2.update_entry(entry)
         except Exception as e:

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
@@ -1545,6 +1545,62 @@ def test_anon_pkinit_with_external_CA(self):
         result = self.master.run_command(['kinit', '-n'])
         assert result.returncode == 0
 
+    # The previous install will be lost with this test
+    def test_services_are_updated(self):
+        "Test that IPA service entries get updated & old certs revoked"
+
+        tasks.uninstall_master(self.master, clean=False)
+        ipa_certs_cleanup(self.master)
+        tasks.install_master(self.master, setup_dns=False)
+
+        test_dir = self.master.config.test_dir
+        for filename in ('ca1.crt', 'ca1/server.crt'):
+            self.master.transport.put_file(
+                os.path.join(self.cert_dir, filename),
+                os.path.join(test_dir, os.path.basename(filename))
+            )
+        result = self.master.run_command(
+            ['ipa-cacert-manage', 'install',
+             os.path.join(self.master.config.test_dir,'ca1.crt')]
+        )
+        assert result.returncode == 0
+        result = self.master.run_command(['ipa-certupdate'])
+        assert result.returncode == 0
+
+        result = self.master.run_command([
+            'openssl', 'x509', '-serial', '-noout', '-in',
+            os.path.join(self.master.config.test_dir, 'server.crt')
+        ])
+        new_serial = str(int(result.stdout_text.split('=')[1].strip()))
+
+        serials = {}
+        for service in ('HTTP', 'ldap',):
+            result = self.master.run_command(
+                'ipa service-show %s/%s --raw | grep serial_number:' %
+                (service, self.master.hostname)
+            )
+            serial_number = result.stdout_text.split(':')[1].strip()
+            serials[service] = serial_number
+
+        # import pdb; pdb.set_trace()
+        for service in ('w', 'd',):
+            result = self.certinstall(service, 'ca1/server')
+            assert result.returncode == 0
+
+        for service in ('HTTP', 'ldap',):
+            result = self.master.run_command(
+                'ipa service-show %s/%s --raw | grep serial_number:' %
+                (service, self.master.hostname)
+            )
+            serial_number = result.stdout_text.split(':')[1].strip()
+            assert serial_number == new_serial
+
+            result = self.master.run_command(
+                ['ipa', 'cert-show', serials[service], '--raw']
+            )
+            assert 'revocation_reason:' in result.stdout_text
+
+
 
 def verify_kdc_cert_perms(host):
     """Verify that the KDC cert pem file has 0644 perms"""