Hi,

the attached patch fixes <https://fedorahosted.org/freeipa/ticket/4019>.

Honza

--
Jan Cholasta
>From 94c88e23285e33ac62e3a44352c238d2351d01da Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Fri, 29 Aug 2014 13:35:45 +0200
Subject: [PATCH] Normalize external CA cert before passing it to pkispawn

https://fedorahosted.org/freeipa/ticket/4019
---
 ipaserver/install/cainstance.py | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 3d0895a..2a59f71 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -583,6 +583,11 @@ class CAInstance(service.Service):
             config.set("CA", "pki_external_csr_path", self.csr_file)
 
         elif self.external == 2:
+            cert = x509.load_certificate_from_file(self.cert_file)
+            cert_file = tempfile.NamedTemporaryFile()
+            x509.write_certificate(cert.der_data, cert_file.name)
+            cert_file.flush()
+
             cert_chain, stderr, rc = ipautil.run(
                 [paths.OPENSSL, 'crl2pkcs7',
                  '-certfile', self.cert_chain_file,
@@ -595,7 +600,7 @@ class CAInstance(service.Service):
             cert_chain_file = ipautil.write_tmp_file(cert_chain)
 
             config.set("CA", "pki_external", "True")
-            config.set("CA", "pki_external_ca_cert_path", self.cert_file)
+            config.set("CA", "pki_external_ca_cert_path", cert_file.name)
             config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name)
             config.set("CA", "pki_external_step_two", "True")
 
@@ -730,10 +735,15 @@ class CAInstance(service.Service):
                 args.append("-ext_csr_file")
                 args.append(self.csr_file)
             elif self.external == 2:
+                cert = x509.load_certificate_from_file(self.cert_file)
+                cert_file = tempfile.NamedTemporaryFile()
+                x509.write_certificate(cert.der_data, cert_file.name)
+                cert_file.flush()
+
                 args.append("-external")
                 args.append("true")
                 args.append("-ext_ca_cert_file")
-                args.append(self.cert_file)
+                args.append(cert_file.name)
                 args.append("-ext_ca_cert_chain_file")
                 args.append(self.cert_chain_file)
             else:
-- 
1.9.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to