diff options
author | Jan Cholasta <jcholast@redhat.com> | 2015-03-17 09:29:21 +0000 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2015-03-19 14:38:34 +0000 |
commit | 95a628cfb9998dfb0a16a43077667d266ee9df17 (patch) | |
tree | eb5ca2655916524cdccd6bbfc8a1db5ce3bc0765 /ipa-client/ipa-install | |
parent | 39e474e14e5f02db89fc444fd08f4c6b6cbdf9d3 (diff) | |
download | freeipa-95a628cfb9998dfb0a16a43077667d266ee9df17.tar.gz freeipa-95a628cfb9998dfb0a16a43077667d266ee9df17.tar.xz freeipa-95a628cfb9998dfb0a16a43077667d266ee9df17.zip |
client-install: Do not crash on invalid CA certificate in LDAP
When CA certificates in LDAP are corrupted, use the otherwise acquired CA
certificates from before.
https://fedorahosted.org/freeipa/ticket/4565
Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'ipa-client/ipa-install')
-rwxr-xr-x | ipa-client/ipa-install/ipa-client-install | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index ccaab5536..a2ce10412 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -2577,14 +2577,15 @@ def install(options, env, fstore, statestore): except ValueError: pass + ca_certs = x509.load_certificate_list_from_file(CACERT) + ca_certs = [cert.der_data for cert in ca_certs] + with certdb.NSSDatabase() as tmp_db: # Add CA certs to a temporary NSS database try: pwd_file = ipautil.write_tmp_file(ipautil.ipa_generate_password()) tmp_db.create_db(pwd_file.name) - ca_certs = x509.load_certificate_list_from_file(CACERT) - ca_certs = [cert.der_data for cert in ca_certs] for i, cert in enumerate(ca_certs): tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,') except CalledProcessError, e: @@ -2657,8 +2658,16 @@ def install(options, env, fstore, statestore): return CLIENT_INSTALL_ERROR # Get CA certificates from the certificate store - ca_certs = get_certs_from_ldap(cli_server[0], cli_basedn, cli_realm, - ca_enabled) + try: + ca_certs = get_certs_from_ldap(cli_server[0], cli_basedn, cli_realm, + ca_enabled) + except errors.NoCertificateError: + if ca_enabled: + ca_subject = DN(('CN', 'Certificate Authority'), subject_base) + else: + ca_subject = None + ca_certs = certstore.make_compat_ca_certs(ca_certs, cli_realm, + ca_subject) ca_certs_trust = [(c, n, certstore.key_policy_to_trust_flags(t, True, u)) for (c, n, t, u) in ca_certs] |