diff options
| -rw-r--r-- | ipaserver/install/certs.py | 8 | ||||
| -rw-r--r-- | ipaserver/install/installutils.py | 5 |
2 files changed, 11 insertions, 2 deletions
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index b170c7cbf..643cbda30 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -29,6 +29,7 @@ import base64 from hashlib import sha1 from nss import nss +from nss.error import NSPRError from ipapython.ipa_log_manager import root_logger from ipapython import dogtag @@ -286,7 +287,12 @@ class NSSDatabase(object): certdb = nss.get_default_certdb() cert = nss.find_cert_from_nickname(nickname) intended_usage = nss.certificateUsageSSLServer - approved_usage = cert.verify_now(certdb, True, intended_usage) + try: + approved_usage = cert.verify_now(certdb, True, intended_usage) + except NSPRError, e: + if e.errno != -8102: + raise ValueError(e.strerror) + approved_usage = 0 if not approved_usage & intended_usage: raise ValueError('invalid for a SSL server') if not cert.verify_hostname(hostname): diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index a568eae7c..830a78a8b 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -720,7 +720,10 @@ def check_pkcs12(pkcs12_info, ca_file, hostname): # Import the CA cert first so it has a known nickname # (if it's present in the PKCS#12 it won't be overwritten) ca_cert_name = 'The Root CA' - nssdb.import_pem_cert(ca_cert_name, "CT,C,C", ca_file) + try: + nssdb.import_pem_cert(ca_cert_name, "CT,C,C", ca_file) + except ValueError, e: + raise ScriptError(str(e)) # Import everything in the PKCS#12 nssdb.import_pkcs12(pkcs12_filename, db_pwd_file.name, pin_filename) |