Hi,

thanks to Jan and Fraser for the review and the suggested error message. Please find the updated patch attached.


Flo.


On 06/02/2016 08:55 AM, Fraser Tweedale wrote:
On Thu, Jun 02, 2016 at 07:54:31AM +0200, Jan Cholasta wrote:
Hi,

On 30.5.2016 19:58, Florence Blanc-Renaud wrote:
Hi all,

this patch adds in the error message the missing certificate that caused
i/pa-server-install --external-cert-file=.../ to fail.

https://fedorahosted.org/freeipa/ticket/5792
I think someone may confuse "issuer" with the "issuer name" field in the
certificate, also IMO we should use "certificate" rather than "cert" in
error messages, so I would rather use something like "missing certificate
with subject '%s'" or maybe just "missing certificate '%s'".

Let us be as specific as possible; Honza's suggestion "missing
certificate with subject '%s'" is preferable.

Cheers,
Fraser

--
Florence Blanc-Renaud
Identity Management Team, Red Hat

From 83603d70680c4690d4861322369a54c37b06b4c8 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <fren...@redhat.com>
Date: Mon, 30 May 2016 14:27:01 +0200
Subject: [PATCH] Report missing certificate in external trust chain

When ipa-server-install is called with an external CA, but the cert chain is
incomplete, the command exits with the following error:
ERROR CA certificate chain in <list of --external-cert-file> is incomplete

The fix adds in the log the name of the missing certificate:
ERROR    CA certificate chain in <list of --external-cert-file> is incomplete: missing certificate with subject '<dn of the missing certificate>'

https://fedorahosted.org/freeipa/ticket/5792
---
 ipaserver/install/installutils.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 2a71ef7ac767c8259c6d2bc63399fdec55b3f8dc..0a683020450eb0eda119546ab3ab9c93b3ec8d1c 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -1015,8 +1015,9 @@ def load_external_cert(files, subject_base):
                 break
         else:
             raise ScriptError(
-                "CA certificate chain in %s is incomplete" %
-                (", ".join(files)))
+                "CA certificate chain in %s is incomplete: "
+                "missing certificate with subject '%s'" %
+                (", ".join(files), issuer))
 
         for nickname in trust_chain:
             try:
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to