From a3c11b01afa4d0f33a507c03bfdd4299fdf987dc Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slaznick@redhat.com>
Date: Aug 22 2017 08:53:39 +0000
Subject: crtmgr: fix bug if CERTMONGER_CERTIFICATE not set


If CERTMONGER_CERTIFICATE is not set in certain scenario, the
code would fail since None cannot be passed to loading certificates.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

---

diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index 4c3b523..787db0d 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -379,10 +379,10 @@ def retrieve_or_reuse_cert(**kwargs):
     if not nickname:
         return (REJECTED, "Nickname could not be determined")
 
-    cert = x509.load_pem_x509_certificate(
-        fix_pem(os.environ.get('CERTMONGER_CERTIFICATE'))) # TODO: the fix_pem somehow got there early, so making this comment way too long to get rid of it later
+    cert = os.environ.get('CERTMONGER_CERTIFICATE')
     if not cert:
         return (REJECTED, "New certificate requests not supported")
+    cert = x509.load_pem_x509_certificate(fix_pem(cert.encode('ascii')))
 
     with ldap_connect() as conn:
         try: