mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
ipa-server-install: publish complete cert chain in /usr/share/ipa/html/ca.crt
When IPA is installed with an externally signed CA, the master installer does not publish the whole cert chain in /usr/share/ipa/html/ca.crt (but /etc/ipa/ca.crt contains the full chain). If a client is installed with a One-Time Password and without the --ca-cert-file option, the client installer downloads the cert chain from http://master.example.com/ipa/config/ca.crt, which is in fact /usr/share/ipa/html/ca.crt. The client installation then fails. Note that when the client is installed by providing admin/password, installation succeeds because the cert chain is read from the LDAP server. https://pagure.io/freeipa/issue/7526 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
parent
7c5ecb8d08
commit
af99032d90
@ -432,7 +432,7 @@ class HTTPInstance(service.Service):
|
||||
raise RuntimeError("HTTPD cert was issued by an unknown CA.")
|
||||
# at this time we can assume any CA cert will be valid since this is
|
||||
# only run during installation
|
||||
x509.write_certificate(ca_certs[0], paths.CA_CRT)
|
||||
x509.write_certificate_list(certlist, paths.CA_CRT)
|
||||
|
||||
def is_kdcproxy_configured(self):
|
||||
"""Check if KDC proxy has already been configured in the past"""
|
||||
|
Loading…
Reference in New Issue
Block a user