diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2018-11-13 14:29:15 +1100 |
|---|---|---|
| committer | Christian Heimes <cheimes@redhat.com> | 2018-11-13 14:19:18 +0100 |
| commit | a2a293ed2f40e3688634fc53dccb8d682fd2ab22 (patch) | |
| tree | 49ba3e3cd334939f8697b61e4a58f77bad0a4540 | |
| parent | 3abfaa5754197823d2d7a1e841e3929b035e7769 (diff) | |
| download | freeipa-a2a293ed2f40e3688634fc53dccb8d682fd2ab22.tar.gz freeipa-a2a293ed2f40e3688634fc53dccb8d682fd2ab22.tar.xz freeipa-a2a293ed2f40e3688634fc53dccb8d682fd2ab22.zip | |
Print correct subject on CA cert verification failure
In load_external_cert(), if verification fails for a certificate in
the trust chain, the error message contains the last subject name
from a previous iteration of the trust chain, instead of the subject
name of the current certificate.
To report the correct subject, look it up using the current
nickname.
Part of: https://pagure.io/freeipa/issue/7761
Reviewed-By: Christian Heimes <cheimes@redhat.com>
| -rw-r--r-- | ipaserver/install/installutils.py | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 8ce6b5296..b0e8f93bf 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -1043,6 +1043,7 @@ def load_external_cert(files, ca_subject): try: nssdb.verify_ca_cert_validity(nickname) except ValueError as e: + cert, subject, issuer = cache[nickname] raise ScriptError( "CA certificate %s in %s is not valid: %s" % (subject, ", ".join(files), e)) |