freeipa

Clone
Source Code
GIT

025cfd9 Fix ipa-server-certinstall with certs signed by 3rd-party CA

1 file Authored by frenaud 7 years ago, Committed by pvoborni 7 years ago,
raw patch tree parent
1 file changed. 17 lines added. 3 lines removed.
ipaserver/install/ipa_server_certinstall.py
file modified
+17 -3 
    Fix ipa-server-certinstall with certs signed by 3rd-party CA
    
    Multiple issues fixed:
    - when untracking a certificate, the path to the NSS directory must be
    exactly identical (no trailing /), otherwise the request is not found
    and the old certificate is still tracked.
    
    - when a cert is issued by a 3rd party CA, no need to track it
    
    - the server_cert should not be found using cdb.find_server_certs()[0][0]
    because this function can return multiple server certificates. For
    instance, /etc/httpd/alias contains ipaCert, Server-Cert and Signing-Cert
    with the trust flags u,u,u. This leads to trying to track ipaCert (which is
    already tracked).
    The workaround is looking for server certs before and after the import,
    and extract server-cert as the certificate in the second list but not in the
    first list.
    
    https://fedorahosted.org/freeipa/ticket/4785
    https://fedorahosted.org/freeipa/ticket/4786
    
    Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
file modified
+17 -3
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.