On 08/13/2014 03:57 PM, Martin Kosek wrote:
On 08/13/2014 03:12 PM, Petr Viktorin wrote:
This works for me, but I'm not sure if I'm correctly reproducing the specific
scenario this patch fixes. So as always, can you please add tests for code you


As far as other scenarios, it seems to me that when I do something wrong I get
a very unhelpful error message late in the installation.

I tried signing the request using xca but pkispawn choked on the result; I'll
try to write a reproducer script using command-line tools.

Attached is a script (based on the external ca integration test) that
reproduces the same IndexError as mentioned in the ticket. (If necessary,
adjust the IP addresses, hostnames, etc. to fit your environment.)
The difference from a working script is that extensions aren't added to the IPA
cert when it's signed.

This is a very good finding. If Jan's patch fixes the reported problem, let us
push it.

Pushed to:
master: 359dfe58b94079e1e16f4fb8960eb29b251f2cbc
ipa-4-1: 359dfe58b94079e1e16f4fb8960eb29b251f2cbc
ipa-4-0: 7c03ef0e727ca44ce1228e9896079a1d02227e14

But the missing validation should be fixed too. Can you please extend
that is (will be) planned for 4.1 and attach your script as well so that we can
improve the usability by both accepting more certificate types and validation?

Comment added.


Freeipa-devel mailing list

Reply via email to