[Freeipa-devel] [PATCH] 779 Require an imported certificate's issuer to match our issuer
Jan Cholasta
jcholast at redhat.com
Mon Jun 6 13:54:53 UTC 2011
On 26.4.2011 22:52, Rob Crittenden wrote:
> The goal is to not import foreign certificates.
>
> This caused a bunch of tests to fail because we had a hardcoded server
> certificate. Instead a developer will need to run make-testcert to
> create a server certificate generated by the local CA to test against.
>
> ticket 1134
>
> rob
>
NACK
The certificate isn't verified in host-add.
I suspect that certificates signed by an intermediate CA (i.e. when the
certificate chain length > 2) are considered invalid. Is that the
desired behavior?
make-testcert fails with:
Traceback (most recent call last):
File "./make-testcert", line 126, in <module>
sys.exit(makecert(reqdir))
File "./make-testcert", line 105, in makecert
add=True)
File "./make-testcert", line 66, in run
result = self.execute(method, *args, **options)
File "/home/jcholast/freeipa/ipalib/backend.py", line 142, in execute
raise error #pylint: disable=E0702
ipalib.errors.CommandError: unknown command 'cert_request'
This is probably an error on my part (tried running in on both my
machine without IPA installed and on VM with IPA installed with no
luck), but nonetheless it should be fixed to fail gracefully so that the
tests in "make test" have a chance to run. Similarly, the tests which
use the test certificate created by make-testcert should be skipped if
the certificate isn't available.
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list