Hi all,

this patch adds in the error message the missing certificate that caused i/pa-server-install --external-cert-file=.../ to fail.


https://fedorahosted.org/freeipa/ticket/5792

--
Florence Blanc-Renaud
Identity Management Team, Red Hat

From 5500fa36a7e61d3d86ee4550029c09fef917ce95 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <fren...@redhat.com>
Date: Mon, 30 May 2016 14:27:01 +0200
Subject: [PATCH] Report missing certificate in external trust chain

When ipa-server-install is called with an external CA, but the cert chain is
incomplete, the command exits with the following error:
ERROR CA certificate chain in <list of --external-cert-file> is incomplete

The fix adds in the log the name of the missing certificate:
ERROR    CA certificate chain in <list of --external-cert-file> is incomplete: missing cert for issuer '<dn of the missing certificate>'

https://fedorahosted.org/freeipa/ticket/5792
---
 ipaserver/install/installutils.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 179909543e8791ff2a85b6bf4ce57dee8d00508b..a7199e083e8281747506a0bf4e5cfe1b6d115d9c 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -1031,8 +1031,9 @@ def load_external_cert(files, subject_base):
                 break
         else:
             raise ScriptError(
-                "CA certificate chain in %s is incomplete" %
-                (", ".join(files)))
+                "CA certificate chain in %s is incomplete: "
+                "missing cert for issuer '%s'" %
+                (", ".join(files), issuer))
 
         for nickname in trust_chain:
             try:
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to