Add cert checks in ipa-server-certinstall #50
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
||
| # import all the CA certs from nssdb into the temp db | ||
| for nickname, flags in nssdb.list_certs(): | ||
| if 'C' in flags: |
There was a problem hiding this comment.
CA certs don't have to have the C flag set. The proper check is if 'u' not in flags:.
|
NACK, see my inline comments above. |
flo-renaud
force-pushed
the
fixservercert
branch
from
b68d1a1
to
087c96f
Compare
| pkcs12_pin) | ||
| for nickname, flags in tempnssdb.list_certs(): | ||
| if 'u' not in flags: | ||
| tempnssdb.delete_cert(nickname) |
There was a problem hiding this comment.
If there are multiple certs with the same nickname, delete_cert will only delete one of them. To delete them all, you have to:
while tempnssdb.has_nickname(nickname):
tempnssdb.delete_cert(nickname)
|
More comments inline. |
flo-renaud
force-pushed
the
fixservercert
branch
2 times, most recently
from
64d335e
to
835eb95
Compare
|
Bump for review |
|
Functional ACK, but please don't use newlines in exception messages. If you want the original error on a separate line, you can use the logger to log it, but I think it would be preferable to use this format: |
When ipa-server-certinstall is called to install a new server certificate, the prerequisite is that the certificate issuer must be already known by IPA. This fix adds new checks to make sure that the tool exits before modifying the target NSS database if it is not the case. The fix consists in creating a temp NSS database with the CA certs from the target NSS database + the new server cert and checking the new server cert validity. https://fedorahosted.org/freeipa/ticket/6263
flo-renaud
force-pushed
the
fixservercert
branch
from
835eb95
to
b4d5a74
Compare
|
Fixed upstream |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When ipa-server-certinstall is called to install a new server certificate,
the prerequisite is that the certificate issuer must be already known by IPA.
This fix adds new checks to make sure that the tool exits before
modifying the target NSS database if it is not the case.
The fix consists in creating a temp NSS database with the CA certs from the
target NSS database + the new server cert and checking the new server cert
validity.
https://fedorahosted.org/freeipa/ticket/6263