Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

External CA fixes #719

Closed
wants to merge 2 commits into from
Closed

External CA fixes #719

wants to merge 2 commits into from

Conversation

stlaz
Copy link
Contributor

@stlaz stlaz commented Apr 18, 2017
edited by HonzaCholasta

External CA installation would have failed for 2 reasons:

  • Trying to perform Kerberos install twice
  • Rewriting the CA cert file with each consecutive certificate in the certificate chain instead of appending them

This patchset fixes that behavior.

HonzaCholasta
HonzaCholasta reviewed Apr 19, 2017
View reviewed changes
ipaserver/install/server/install.py Outdated
pkcs12_info=pkinit_pkcs12_info,
subject_base=options.subject_base)
else:
krb = krbinstance.KrbInstance(fstore)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This exact line is in both branches of the if statement. I think it would be better to move it before the if statement.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right, this is silly, thanks.

@stlaz
server-install: No double Kerberos install
9cb7811 
When we're installing server with an external CA, the installation
would have failed in the second step where it's passed the required
CA cert file because it would have tried to perform the Kerberos
installation for the second time.

https://pagure.io/freeipa/issue/6757
@stlaz
ext. CA: correctly write the cert chain
27a2c13 
The cert file would have been rewritten all over again with
any of the cert in the CA cert chain without this patch.

https://pagure.io/freeipa/issue/6872
@HonzaCholasta HonzaCholasta added ack Pull Request approved, can be merged pushed Pull Request has already been pushed labels Apr 19, 2017
@HonzaCholasta
Copy link
Contributor

master:

  • 25a33ce server-install: No double Kerberos install
  • 7b85031 ext. CA: correctly write the cert chain

ipa-4-5:

  • 2144eaf server-install: No double Kerberos install
  • a6af003 ext. CA: correctly write the cert chain

@stlaz stlaz deleted the extca_fixes branch July 7, 2017 12:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@HonzaCholasta HonzaCholasta HonzaCholasta left review comments

Assignees
No one assigned
Labels
ack Pull Request approved, can be merged pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
2 participants
@stlaz @HonzaCholasta