Import Upstream version 4.12.4

install/restart_scripts/renew_ca_cert.in

@@ -28,7 +28,6 @@ import shutil
 import traceback
 
 from ipalib.install import certstore
-from ipapython import directivesetter
 from ipapython import ipautil
 from ipalib import api, errors
 from ipalib import x509
@@ -37,7 +36,7 @@ from ipaserver.install import certs, cainstance
 from ipaserver.plugins.ldap2 import ldap2
 from ipaplatform import services
 from ipaplatform.paths import paths
-from ipapython.certdb import TrustFlags
+from ipapython.certdb import TrustFlags, get_ca_nickname
 
 
 def _main():
@@ -50,6 +49,8 @@ def _main():
 
     dogtag_service = services.knownservices['pki_tomcatd']
 
+    ca = cainstance.CAInstance(host_name=api.env.host)
+
     # dogtag opens its NSS database in read/write mode so we need it
     # shut down so certmonger can open it read/write mode. This avoids
     # database corruption. It should already be stopped by the pre-command
@@ -83,13 +84,15 @@ def _main():
 
         api.Backend.ldap2.connect()
 
-        ca = cainstance.CAInstance(host_name=api.env.host)
         ca.update_cert_config(nickname, cert)
         if ca.is_renewal_master():
             cainstance.update_people_entry(cert)
             cainstance.update_authority_entry(cert)
 
-        if nickname == 'auditSigningCert cert-pki-ca':
+        if nickname in (
+            'auditSigningCert cert-pki-ca',
+            'auditSigningCert cert-pki-kra',
+        ):
             # Fix trust on the audit cert
             try:
                 db.run_certutil(['-M',
@@ -105,32 +108,9 @@ def _main():
                     "Updating trust on certificate %s failed in %s" %
                     (nickname, db.secdir))
         elif nickname == 'caSigningCert cert-pki-ca':
-            # Update CS.cfg
-            cfg_path = paths.CA_CS_CFG_PATH
-            config = directivesetter.get_directive(
-                cfg_path, 'subsystem.select', '=')
-            if config == 'New':
-                syslog.syslog(syslog.LOG_NOTICE, "Updating CS.cfg")
-                if cert.is_self_signed():
-                    directivesetter.set_directive(
-                        cfg_path, 'hierarchy.select', 'Root',
-                        quotes=False, separator='=')
-                    directivesetter.set_directive(
-                        cfg_path, 'subsystem.count', '1',
-                        quotes=False, separator='=')
-                else:
-                    directivesetter.set_directive(
-                        cfg_path, 'hierarchy.select', 'Subordinate',
-                        quotes=False, separator='=')
-                    directivesetter.set_directive(
-                        cfg_path, 'subsystem.count', '0',
-                        quotes=False, separator='=')
-            else:
-                syslog.syslog(syslog.LOG_NOTICE, "Not updating CS.cfg")
-
             # Remove old external CA certificates
             for ca_nick, ca_flags in db.list_certs():
-                if ca_flags.has_key:
+                if ca_flags.has_key or not ca_flags.ca:
                     continue
                 # Delete *all* certificates that use the nickname
                 while True:
@@ -174,8 +154,11 @@ def _main():
                         "%s" % e)
                     ca_certs = []
 
+                realm_nickname = get_ca_nickname(api.env.realm)
                 for ca_cert, ca_nick, ca_flags in ca_certs:
                     try:
+                        if ca_nick == realm_nickname:
+                            ca_nick = 'caSigningCert cert-pki-ca'
                         db.add_cert(ca_cert, ca_nick, ca_flags)
                     except ipautil.CalledProcessError as e:
                         syslog.syslog(