Print correct subject on CA cert verification failure

In load_external_cert(), if verification fails for a certificate in the trust chain, the error message contains the last subject name from a previous iteration of the trust chain, instead of the subject name of the current certificate. To report the correct subject, look it up using the current nickname. Part of: https://pagure.io/freeipa/issue/7761 Reviewed-By: Christian Heimes <cheimes@redhat.com>
2024-12-23 07:33:27 -06:00 · 2018-11-13 14:29:15 +11:00 · 2018-11-13 14:29:15 +11:00 · a2a293ed2f
commit a2a293ed2f
parent 3abfaa5754
1 changed files with 1 additions and 0 deletions
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@ -1043,6 +1043,7 @@ def load_external_cert(files, ca_subject):
            try:
                nssdb.verify_ca_cert_validity(nickname)
            except ValueError as e:
+                cert, subject, issuer = cache[nickname]
                raise ScriptError(
                    "CA certificate %s in %s is not valid: %s" %
                    (subject, ", ".join(files), e))