diff options
| author | Florence Blanc-Renaud <frenaud@redhat.com> | 2016-06-21 16:34:21 +0200 |
|---|---|---|
| committer | Petr Vobornik <pvoborni@redhat.com> | 2016-06-30 14:53:37 +0200 |
| commit | 025cfd911bce6214ef2b4311b16c5b6df6ad173a (patch) | |
| tree | 0a921d81b5639e572302e457467e995029926027 /ipaserver/plugins/cert.py | |
| parent | f3858be6e353fadf0b1da1c31b908264ddd636c5 (diff) | |
| download | freeipa-025cfd911bce6214ef2b4311b16c5b6df6ad173a.tar.gz freeipa-025cfd911bce6214ef2b4311b16c5b6df6ad173a.tar.xz freeipa-025cfd911bce6214ef2b4311b16c5b6df6ad173a.zip | |
Fix ipa-server-certinstall with certs signed by 3rd-party CA
Multiple issues fixed:
- when untracking a certificate, the path to the NSS directory must be
exactly identical (no trailing /), otherwise the request is not found
and the old certificate is still tracked.
- when a cert is issued by a 3rd party CA, no need to track it
- the server_cert should not be found using cdb.find_server_certs()[0][0]
because this function can return multiple server certificates. For
instance, /etc/httpd/alias contains ipaCert, Server-Cert and Signing-Cert
with the trust flags u,u,u. This leads to trying to track ipaCert (which is
already tracked).
The workaround is looking for server certs before and after the import,
and extract server-cert as the certificate in the second list but not in the
first list.
https://fedorahosted.org/freeipa/ticket/4785
https://fedorahosted.org/freeipa/ticket/4786
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Diffstat (limited to 'ipaserver/plugins/cert.py')
0 files changed, 0 insertions, 0 deletions