From 451c2e2bc4da52900dbf6cd67ea62ccd70e8e421 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Fri, 29 Aug 2014 13:35:45 +0200 Subject: [PATCH] Normalize external CA cert before passing it to pkispawn https://fedorahosted.org/freeipa/ticket/4019 Reviewed-By: Petr Viktorin --- ipaserver/install/cainstance.py | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 2a8ecc00c..00cb59771 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -590,6 +590,11 @@ class CAInstance(service.Service): config.set("CA", "pki_external_csr_path", self.csr_file) elif self.external == 2: + cert = x509.load_certificate_from_file(self.cert_file) + cert_file = tempfile.NamedTemporaryFile() + x509.write_certificate(cert.der_data, cert_file.name) + cert_file.flush() + cert_chain, stderr, rc = ipautil.run( [paths.OPENSSL, 'crl2pkcs7', '-certfile', self.cert_chain_file, @@ -602,7 +607,7 @@ class CAInstance(service.Service): cert_chain_file = ipautil.write_tmp_file(cert_chain) config.set("CA", "pki_external", "True") - config.set("CA", "pki_external_ca_cert_path", self.cert_file) + config.set("CA", "pki_external_ca_cert_path", cert_file.name) config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name) config.set("CA", "pki_external_step_two", "True") @@ -737,10 +742,15 @@ class CAInstance(service.Service): args.append("-ext_csr_file") args.append(self.csr_file) elif self.external == 2: + cert = x509.load_certificate_from_file(self.cert_file) + cert_file = tempfile.NamedTemporaryFile() + x509.write_certificate(cert.der_data, cert_file.name) + cert_file.flush() + args.append("-external") args.append("true") args.append("-ext_ca_cert_file") - args.append(self.cert_file) + args.append(cert_file.name) args.append("-ext_ca_cert_chain_file") args.append(self.cert_chain_file) else: