ipa-server-install: publish complete cert chain in /usr/share/ipa/html/ca.crt

When IPA is installed with an externally signed CA, the master installer
does not publish the whole cert chain in /usr/share/ipa/html/ca.crt (but
/etc/ipa/ca.crt contains the full chain).

If a client is installed with a One-Time Password and without the
--ca-cert-file option, the client installer downloads the cert chain
from http://master.example.com/ipa/config/ca.crt, which is in fact
/usr/share/ipa/html/ca.crt. The client installation then fails.
Note that when the client is installed by providing admin/password,
installation succeeds because the cert chain is read from the LDAP server.

https://pagure.io/freeipa/issue/7526

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Florence Blanc-Renaud 2018-05-17 18:39:32 +02:00 committed by Christian Heimes
parent 7c5ecb8d08
commit af99032d90

View File

@ -432,7 +432,7 @@ class HTTPInstance(service.Service):
raise RuntimeError("HTTPD cert was issued by an unknown CA.")
# at this time we can assume any CA cert will be valid since this is
# only run during installation
x509.write_certificate(ca_certs[0], paths.CA_CRT)
x509.write_certificate_list(certlist, paths.CA_CRT)
def is_kdcproxy_configured(self):
"""Check if KDC proxy has already been configured in the past"""