[Freeipa-devel] [freeipa PR#576][opened] Installation must publish CA cert in /usr/share/ipa/html/ca.crt

Mon, 13 Mar 2017 09:02:56 -0700 

   URL: https://github.com/freeipa/freeipa/pull/576
Author: flo-renaud
 Title: #576: Installation must publish CA cert in /usr/share/ipa/html/ca.crt
Action: opened

PR body:
"""
Regression introduced with commit d124e30.
ipa-server-install and ipa-replica-install must publish the CA cert
in /usr/share/ipa/html/ca.crt, otherwise the web page
http://ipaserver.ipadomain.com/ipa/config/ssbrowser.html has a link to
http://ipaserver.ipadomain.com/ipa/config/ca.crt but this file is missing.

https://pagure.io/freeipa/issue/6750
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/576/head:pr576
git checkout pr576

From 9f7be115b616f04c9661362770f8662f450b60bc Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <f...@redhat.com>
Date: Mon, 13 Mar 2017 16:12:46 +0100
Subject: [PATCH] Installation must publish CA cert in
 /usr/share/ipa/html/ca.crt

Regression introduced with commit d124e30.
ipa-server-install and ipa-replica-install must publish the CA cert
in /usr/share/ipa/html/ca.crt, otherwise the web page
http://ipaserver.ipadomain.com/ipa/config/ssbrowser.html has a link to
http://ipaserver.ipadomain.com/ipa/config/ca.crt but this file is missing.

https://pagure.io/freeipa/issue/6750
---
 ipaserver/install/httpinstance.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 3e8fb0c..27d0cfe 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -174,6 +174,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None,
             self.step("configure certmonger for renewals",
                       self.configure_certmonger_renewal_guard)
         self.step("importing CA certificates from LDAP", self.__import_ca_certs)
+        self.step("publish CA cert", self.__publish_ca_cert)
         self.step("clean up any existing httpd ccaches",
                   self.remove_httpd_ccaches)
         self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
@@ -422,6 +423,11 @@ def __import_ca_certs(self):
                           subject_base=self.subject_base)
         self.import_ca_certs(db, self.ca_is_configured)
 
+    def __publish_ca_cert(self):
+        ca_db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR,
+                             subject_base=self.subject_base)
+        ca_db.publish_ca_cert(paths.CA_CRT)
+
     def is_kdcproxy_configured(self):
         """Check if KDC proxy has already been configured in the past"""
         return os.path.isfile(paths.HTTPD_IPA_KDCPROXY_CONF)

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to