thanks to Jan and Fraser for the review and the suggested error message.
Please find the updated patch attached.
On 06/02/2016 08:55 AM, Fraser Tweedale wrote:
On Thu, Jun 02, 2016 at 07:54:31AM +0200, Jan Cholasta wrote:
On 30.5.2016 19:58, Florence Blanc-Renaud wrote:
this patch adds in the error message the missing certificate that caused
i/pa-server-install --external-cert-file=.../ to fail.
I think someone may confuse "issuer" with the "issuer name" field in the
certificate, also IMO we should use "certificate" rather than "cert" in
error messages, so I would rather use something like "missing certificate
with subject '%s'" or maybe just "missing certificate '%s'".
Let us be as specific as possible; Honza's suggestion "missing
certificate with subject '%s'" is preferable.
Identity Management Team, Red Hat
From 83603d70680c4690d4861322369a54c37b06b4c8 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <fren...@redhat.com>
Date: Mon, 30 May 2016 14:27:01 +0200
Subject: [PATCH] Report missing certificate in external trust chain
When ipa-server-install is called with an external CA, but the cert chain is
incomplete, the command exits with the following error:
ERROR CA certificate chain in <list of --external-cert-file> is incomplete
The fix adds in the log the name of the missing certificate:
ERROR CA certificate chain in <list of --external-cert-file> is incomplete: missing certificate with subject '<dn of the missing certificate>'
ipaserver/install/installutils.py | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 2a71ef7ac767c8259c6d2bc63399fdec55b3f8dc..0a683020450eb0eda119546ab3ab9c93b3ec8d1c 100644
@@ -1015,8 +1015,9 @@ def load_external_cert(files, subject_base):
- "CA certificate chain in %s is incomplete" %
- (", ".join(files)))
+ "CA certificate chain in %s is incomplete: "
+ "missing certificate with subject '%s'" %
+ (", ".join(files), issuer))
for nickname in trust_chain:
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code