URL: https://github.com/freeipa/freeipa/pull/719 Author: stlaz Title: #719: External CA fixes Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/719/head:pr719 git checkout pr719
From 9cb7811d9b3b5c140dbf72edf9e4b00c412c3cf9 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Tue, 18 Apr 2017 17:14:27 +0200 Subject: [PATCH 1/2] server-install: No double Kerberos install When we're installing server with an external CA, the installation would have failed in the second step where it's passed the required CA cert file because it would have tried to perform the Kerberos installation for the second time. https://pagure.io/freeipa/issue/6757 --- ipaserver/install/server/install.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index b899b4b..b360e05 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -762,11 +762,12 @@ def install(installer): options.subject_base, options.ca_subject, 1101, 1100, None) krb = krbinstance.KrbInstance(fstore) - krb.create_instance(realm_name, host_name, domain_name, - dm_password, master_password, - setup_pkinit=not options.no_pkinit, - pkcs12_info=pkinit_pkcs12_info, - subject_base=options.subject_base) + if not options.external_cert_files: + krb.create_instance(realm_name, host_name, domain_name, + dm_password, master_password, + setup_pkinit=not options.no_pkinit, + pkcs12_info=pkinit_pkcs12_info, + subject_base=options.subject_base) if setup_ca: if not options.external_cert_files and options.external_ca: From 27a2c13c3748e334aa86169c33f042075294d903 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Tue, 18 Apr 2017 17:17:48 +0200 Subject: [PATCH 2/2] ext. CA: correctly write the cert chain The cert file would have been rewritten all over again with any of the cert in the CA cert chain without this patch. https://pagure.io/freeipa/issue/6872 --- ipaserver/install/cainstance.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 1c8bb27..d452757 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -786,9 +786,10 @@ def __export_ca_chain(self): certlist = x509.pkcs7_to_pems(data, x509.DER) # We have all the certificates in certlist, write them to a PEM file - for cert in certlist: - with open(paths.IPA_CA_CRT, 'w') as ipaca_pem: + with open(paths.IPA_CA_CRT, 'w') as ipaca_pem: + for cert in certlist: ipaca_pem.write(cert) + ipaca_pem.write('\n') def __request_ra_certificate(self): # create a temp file storing the pwd
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
