URL: https://github.com/freeipa/freeipa/pull/719 Author: stlaz Title: #719: External CA fixes Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/719/head:pr719 git checkout pr719
From 2940a8774fe3283497d13ef287de2e10638e725f Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Tue, 18 Apr 2017 17:14:27 +0200 Subject: [PATCH 1/2] server-install: No double Kerberos install When we're installing server with an external CA, the installation would have failed in the second step where it's passed the required CA cert file because it would have tried to perform the Kerberos installation for the second time. https://pagure.io/freeipa/issue/6757 --- ipaserver/install/server/install.py | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index b899b4b..7c0eccf 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -761,12 +761,15 @@ def install(installer): realm_name, host_name, domain_name, dm_password, options.subject_base, options.ca_subject, 1101, 1100, None) - krb = krbinstance.KrbInstance(fstore) - krb.create_instance(realm_name, host_name, domain_name, - dm_password, master_password, - setup_pkinit=not options.no_pkinit, - pkcs12_info=pkinit_pkcs12_info, - subject_base=options.subject_base) + if not options.external_cert_files: + krb = krbinstance.KrbInstance(fstore) + krb.create_instance(realm_name, host_name, domain_name, + dm_password, master_password, + setup_pkinit=not options.no_pkinit, + pkcs12_info=pkinit_pkcs12_info, + subject_base=options.subject_base) + else: + krb = krbinstance.KrbInstance(fstore) if setup_ca: if not options.external_cert_files and options.external_ca: From 9d165c77186f7f1f4db0c0cc3b58a6d5f3582384 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Tue, 18 Apr 2017 17:17:48 +0200 Subject: [PATCH 2/2] ext. CA: correctly write the cert chain The cert file would have been rewritten all over again with any of the cert in the CA cert chain without this patch. https://pagure.io/freeipa/issue/6872 --- ipaserver/install/cainstance.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 1c8bb27..d452757 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -786,9 +786,10 @@ def __export_ca_chain(self): certlist = x509.pkcs7_to_pems(data, x509.DER) # We have all the certificates in certlist, write them to a PEM file - for cert in certlist: - with open(paths.IPA_CA_CRT, 'w') as ipaca_pem: + with open(paths.IPA_CA_CRT, 'w') as ipaca_pem: + for cert in certlist: ipaca_pem.write(cert) + ipaca_pem.write('\n') def __request_ra_certificate(self): # create a temp file storing the pwd
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
