Hi,

the attached patch fixes <https://fedorahosted.org/freeipa/ticket/5612>.

Honza

--
Jan Cholasta
From 7e0ec898cd58647250ed673fa55b98012939e373 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 22 Feb 2016 18:14:46 +0100
Subject: [PATCH] cacert install: fix trust chain validation

https://fedorahosted.org/freeipa/ticket/5612
---
 ipaserver/install/ipa_cacert_manage.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
index 2a4e8ef..de13ad3 100644
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -335,10 +335,17 @@ class CACertManage(admintool.AdminTool):
 
         nickname = options.nickname or str(subject)
 
+        ca_certs = certstore.get_ca_certs_nss(api.Backend.ldap2,
+                                              api.env.basedn,
+                                              api.env.realm,
+                                              False)
+
         with certs.NSSDatabase() as tmpdb:
             pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
             tmpdb.create_db(pw.name)
             tmpdb.add_cert(cert, nickname, 'C,,')
+            for ca_cert, ca_nickname, ca_trust_flags in ca_certs:
+                tmpdb.add_cert(ca_cert, ca_nickname, ca_trust_flags)
 
             try:
                 tmpdb.verify_ca_cert_validity(nickname)
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to