Hi, the attached patch fixes <https://fedorahosted.org/freeipa/ticket/3736>.
Honza -- Jan Cholasta
>From 9e18d5fb7a9c7d4e7604ca2788c087963fc2c0bb Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Wed, 3 Jul 2013 11:00:58 +0200 Subject: [PATCH] Skip cert issuer validation in service and host commands in CA-less install. https://fedorahosted.org/freeipa/ticket/3736 --- ipalib/x509.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ipalib/x509.py b/ipalib/x509.py index dc5418e..ca6eac5 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -61,9 +61,12 @@ def subject_base(): return _subject_base def valid_issuer(issuer): + if not api.env.enable_ra: + return True # Handle all supported forms of issuer -- currently dogtag only. if api.env.ra_plugin == 'dogtag': return DN(issuer) == DN(('CN', 'Certificate Authority'), subject_base()) + return True def strip_header(pem): """ -- 1.8.3.1
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel