URL: https://github.com/freeipa/freeipa/pull/622 Author: HonzaCholasta Title: #622: replica prepare: fix wrong IPA CA nickname in replica file Action: opened
PR body: """ Lookup IPA CA subject and pass it to CertDB when creating dscert.p12 and httpcert.p12, otherwise a generic nickname will be used for the IPA CA certificate instead of "$REALM IPA CA". This fixes replica install on domain level 0 from a replica file created using ipa-replica-install on IPA 4.5. https://pagure.io/freeipa/issue/6777 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/622/head:pr622 git checkout pr622
From 0b614024852c20b63a03ae2b62f99b84ec8df825 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Fri, 17 Mar 2017 09:34:08 +0000 Subject: [PATCH] replica prepare: fix wrong IPA CA nickname in replica file Lookup IPA CA subject and pass it to CertDB when creating dscert.p12 and httpcert.p12, otherwise a generic nickname will be used for the IPA CA certificate instead of "$REALM IPA CA". This fixes replica install on domain level 0 from a replica file created using ipa-replica-install on IPA 4.5. https://pagure.io/freeipa/issue/6777 --- ipaserver/install/ipa_replica_prepare.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index f4925a6..95c3818 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -34,7 +34,7 @@ from six.moves.configparser import SafeConfigParser # pylint: enable=import-error -from ipaserver.install import certs, installutils, bindinstance, dsinstance +from ipaserver.install import certs, installutils, bindinstance, dsinstance, ca from ipaserver.install.replication import enable_replication_version_checking from ipaserver.install.server.replicainstall import install_ca_cert from ipaserver.install.bindinstance import ( @@ -537,12 +537,13 @@ def export_certdb(self, fname, passwd_fname): """ hostname = self.replica_fqdn subject_base = self.subject_base + ca_subject = ca.lookup_ca_subject(api, subject_base) nickname = "Server-Cert" try: db = certs.CertDB( - api.env.realm, nssdir=self.dir, subject_base=subject_base, - host_name=api.env.host) + api.env.realm, nssdir=self.dir, host_name=api.env.host, + subject_base=subject_base, ca_subject=ca_subject) db.create_passwd_file() db.create_from_cacert() db.create_server_cert(nickname, hostname)
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code