freeipa

Clone
Source Code
GIT

06b5511 ipa-server-install: publish complete cert chain in /usr/share/ipa/html/ca.crt

1 file Authored by frenaud 5 years ago, Committed by rcritten 5 years ago,
raw patch tree parent
1 file changed. 9 lines added. 4 lines removed.
ipaserver/install/httpinstance.py
file modified
+9 -4 
    ipa-server-install: publish complete cert chain in /usr/share/ipa/html/ca.crt
    
    When IPA is installed with an externally signed CA, the master installer
    does not publish the whole cert chain in /usr/share/ipa/html/ca.crt (but
    /etc/ipa/ca.crt contains the full chain).
    
    If a client is installed with a One-Time Password and without the
    --ca-cert-file option, the client installer downloads the cert chain
    from http://master.example.com/ipa/config/ca.crt, which is in fact
    /usr/share/ipa/html/ca.crt. The client installation then fails.
    Note that when the client is installed by providing admin/password,
    installation succeeds because the cert chain is read from the LDAP server.
    
    https://pagure.io/freeipa/issue/7526
    
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
file modified
+9 -4
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.