Hi all,

this patch adds in the error message the missing certificate that caused i/pa-server-install --external-cert-file=.../ to fail.


Florence Blanc-Renaud
Identity Management Team, Red Hat

From 5500fa36a7e61d3d86ee4550029c09fef917ce95 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <fren...@redhat.com>
Date: Mon, 30 May 2016 14:27:01 +0200
Subject: [PATCH] Report missing certificate in external trust chain

When ipa-server-install is called with an external CA, but the cert chain is
incomplete, the command exits with the following error:
ERROR CA certificate chain in <list of --external-cert-file> is incomplete

The fix adds in the log the name of the missing certificate:
ERROR    CA certificate chain in <list of --external-cert-file> is incomplete: missing cert for issuer '<dn of the missing certificate>'

 ipaserver/install/installutils.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 179909543e8791ff2a85b6bf4ce57dee8d00508b..a7199e083e8281747506a0bf4e5cfe1b6d115d9c 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -1031,8 +1031,9 @@ def load_external_cert(files, subject_base):
             raise ScriptError(
-                "CA certificate chain in %s is incomplete" %
-                (", ".join(files)))
+                "CA certificate chain in %s is incomplete: "
+                "missing cert for issuer '%s'" %
+                (", ".join(files), issuer))
         for nickname in trust_chain:

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to