From 9939aa53630a9c6a66e83140e64ec56539891c13 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Fri, 17 Mar 2017 09:34:08 +0000 Subject: replica prepare: fix wrong IPA CA nickname in replica file Lookup IPA CA subject and pass it to CertDB when creating dscert.p12 and httpcert.p12, otherwise a generic nickname will be used for the IPA CA certificate instead of "$REALM IPA CA". This fixes replica install on domain level 0 from a replica file created using ipa-replica-install on IPA 4.5. https://pagure.io/freeipa/issue/6777 Reviewed-By: Martin Babinsky --- ipaserver/install/ipa_replica_prepare.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index f4925a6c4..95c3818a9 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -34,7 +34,7 @@ import dns.resolver from six.moves.configparser import SafeConfigParser # pylint: enable=import-error -from ipaserver.install import certs, installutils, bindinstance, dsinstance +from ipaserver.install import certs, installutils, bindinstance, dsinstance, ca from ipaserver.install.replication import enable_replication_version_checking from ipaserver.install.server.replicainstall import install_ca_cert from ipaserver.install.bindinstance import ( @@ -537,12 +537,13 @@ class ReplicaPrepare(admintool.AdminTool): """ hostname = self.replica_fqdn subject_base = self.subject_base + ca_subject = ca.lookup_ca_subject(api, subject_base) nickname = "Server-Cert" try: db = certs.CertDB( - api.env.realm, nssdir=self.dir, subject_base=subject_base, - host_name=api.env.host) + api.env.realm, nssdir=self.dir, host_name=api.env.host, + subject_base=subject_base, ca_subject=ca_subject) db.create_passwd_file() db.create_from_cacert() db.create_server_cert(nickname, hostname) -- cgit