Specify cert_paths when calling PKIConnection

PKIConnection now defaults to specifying verify=True. We've introduced a new parameter, cert_paths, to specify additional paths (directories or files) to load as certificates. Specify the IPA CA certificate file so we can guarantee connections succeed and validate the peer's certificate. Point to IPA CA certificate during pkispawn Bump pki_version to 10.9.0-0.4 (aka -b2) Fixes: https://pagure.io/freeipa/issue/8379 Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849155 Related: https://github.com/dogtagpki/pki/pull/443 Related: https://bugzilla.redhat.com/show_bug.cgi?id=1426572 Signed-off-by: Alexander Scheel <ascheel@redhat.com> Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-06-19 08:48:56 -04:00
parent 6a0901f6fd
commit a087d82e78
5 changed files with 19 additions and 11 deletions
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -509,6 +509,13 @@ class CAInstance(DogtagInstance):
        else:
            pki_pin = None

+        # When spawning a CA instance, always point to IPA_CA_CRT if it
+        # exists. Later, when we're performing step 2 of an external CA
+        # installation, we'll overwrite this key to point to the real
+        # external CA.
+        if os.path.exists(paths.IPA_CA_CRT):
+            cfg['pki_cert_chain_path'] = paths.IPA_CA_CRT
+
        if self.clone:
            if self.no_db_setup:
                cfg.update(