Hi,

the attached patch fixes <https://fedorahosted.org/freeipa/ticket/4397>.

Honza

--
Jan Cholasta
>From d479d6f3a929c4dea6d87e2d27e5de943d4d26ee Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Fri, 8 Aug 2014 10:15:26 +0200
Subject: [PATCH] Convert external CA chain to PKCS#7 before passing it to
 pkispawn.

https://fedorahosted.org/freeipa/ticket/4397
---
 ipaserver/install/cainstance.py | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 03aec95..3d0895a 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -583,9 +583,20 @@ class CAInstance(service.Service):
             config.set("CA", "pki_external_csr_path", self.csr_file)
 
         elif self.external == 2:
+            cert_chain, stderr, rc = ipautil.run(
+                [paths.OPENSSL, 'crl2pkcs7',
+                 '-certfile', self.cert_chain_file,
+                 '-nocrl'])
+            # Dogtag chokes on the header and footer, remove them
+            # https://bugzilla.redhat.com/show_bug.cgi?id=1127838
+            cert_chain = re.search(
+                r'(?<=-----BEGIN PKCS7-----).*?(?=-----END PKCS7-----)',
+                cert_chain, re.DOTALL).group(0)
+            cert_chain_file = ipautil.write_tmp_file(cert_chain)
+
             config.set("CA", "pki_external", "True")
             config.set("CA", "pki_external_ca_cert_path", self.cert_file)
-            config.set("CA", "pki_external_ca_cert_chain_path", self.cert_chain_file)
+            config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name)
             config.set("CA", "pki_external_step_two", "True")
 
         # Generate configuration file
-- 
1.9.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to