URL: https://github.com/freeipa/freeipa/pull/719
Author: stlaz
 Title: #719: External CA fixes
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/719/head:pr719
git checkout pr719
From 2940a8774fe3283497d13ef287de2e10638e725f Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Tue, 18 Apr 2017 17:14:27 +0200
Subject: [PATCH 1/2] server-install: No double Kerberos install

When we're installing server with an external CA, the installation
would have failed in the second step where it's passed the required
CA cert file because it would have tried to perform the Kerberos
installation for the second time.

https://pagure.io/freeipa/issue/6757
---
 ipaserver/install/server/install.py | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index b899b4b..7c0eccf 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -761,12 +761,15 @@ def install(installer):
             realm_name, host_name, domain_name, dm_password,
             options.subject_base, options.ca_subject, 1101, 1100, None)
 
-    krb = krbinstance.KrbInstance(fstore)
-    krb.create_instance(realm_name, host_name, domain_name,
-                        dm_password, master_password,
-                        setup_pkinit=not options.no_pkinit,
-                        pkcs12_info=pkinit_pkcs12_info,
-                        subject_base=options.subject_base)
+    if not options.external_cert_files:
+        krb = krbinstance.KrbInstance(fstore)
+        krb.create_instance(realm_name, host_name, domain_name,
+                            dm_password, master_password,
+                            setup_pkinit=not options.no_pkinit,
+                            pkcs12_info=pkinit_pkcs12_info,
+                            subject_base=options.subject_base)
+    else:
+        krb = krbinstance.KrbInstance(fstore)
 
     if setup_ca:
         if not options.external_cert_files and options.external_ca:

From 9d165c77186f7f1f4db0c0cc3b58a6d5f3582384 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Tue, 18 Apr 2017 17:17:48 +0200
Subject: [PATCH 2/2] ext. CA: correctly write the cert chain

The cert file would have been rewritten all over again with
any of the cert in the CA cert chain without this patch.

https://pagure.io/freeipa/issue/6872
---
 ipaserver/install/cainstance.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 1c8bb27..d452757 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -786,9 +786,10 @@ def __export_ca_chain(self):
         certlist = x509.pkcs7_to_pems(data, x509.DER)
 
         # We have all the certificates in certlist, write them to a PEM file
-        for cert in certlist:
-            with open(paths.IPA_CA_CRT, 'w') as ipaca_pem:
+        with open(paths.IPA_CA_CRT, 'w') as ipaca_pem:
+            for cert in certlist:
                 ipaca_pem.write(cert)
+                ipaca_pem.write('\n')
 
     def __request_ra_certificate(self):
         # create a temp file storing the pwd
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to