IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Print correct subject on CA cert verification failure

Browse Source 
In load_external_cert(), if verification fails for a certificate in
the trust chain, the error message contains the last subject name
from a previous iteration of the trust chain, instead of the subject
name of the current certificate.

To report the correct subject, look it up using the current
nickname.

Part of: https://pagure.io/freeipa/issue/7761

Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
Fraser Tweedale
2018-11-13 14:29:15 +11:00
committed by Christian Heimes
parent 3abfaa5754
commit a2a293ed2f
1 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
ipaserver/install/installutils.py
View File

@@ -1043,6 +1043,7 @@ def load_external_cert(files, ca_subject):
try: try:
nssdb.verify_ca_cert_validity(nickname) nssdb.verify_ca_cert_validity(nickname)
except ValueError as e: except ValueError as e:
cert, subject, issuer = cache[nickname]
raise ScriptError( raise ScriptError(
"CA certificate %s in %s is not valid: %s" % "CA certificate %s in %s is not valid: %s" %
(subject, ", ".join(files), e)) (subject, ", ".join(files), e))