this patch removes (IMHO) redundat check in cert_show, which fails when
host tries to re-submit certificate of different host/service which he can

I also reported the bug here:

I tired to run the tests as well and it doesn't seem to break anything.
Any feedpack appriciated.

Jan Orel
From 3d2dc37614897597dbffb50b0fcd86f113dfe716 Mon Sep 17 00:00:00 2001
From: Jan Orel <jan.o...@gooddata.com>
Date: Thu, 8 Oct 2015 15:53:41 +0200
Subject: [PATCH] cert-show: Remove check if hostname != CN

This check does not work in case that host is resubmitting
certificate for host/service that he can manage.
 ipalib/plugins/cert.py | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index e4593200e01addea31c8fcda981fbe1d65058c27..1343c5706b0ad49305873b9aec0ece3f280f3ba8 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -624,11 +624,6 @@ class cert_show(VirtualCommand):
         result['valid_not_after'] = unicode(cert.valid_not_after_str)
         result['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
         result['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
-        if hostname:
-            # If we have a hostname we want to verify that the subject
-            # of the certificate matches it, otherwise raise an error
-            if hostname != cert.subject.common_name:    #pylint: disable=E1101
-                raise acierr
         return dict(result=result)

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to