[Freeipa-devel] [PATCH] 315 Convert external CA chain to PKCS#7 before passing it to pkispawn
Petr Viktorin
pviktori at redhat.com
Thu Aug 14 08:09:42 UTC 2014
On 08/13/2014 03:57 PM, Martin Kosek wrote:
> On 08/13/2014 03:12 PM, Petr Viktorin wrote:
[...]
>> This works for me, but I'm not sure if I'm correctly reproducing the specific
>> scenario this patch fixes. So as always, can you please add tests for code you
>> write?
>
> +1!
>
>> As far as other scenarios, it seems to me that when I do something wrong I get
>> a very unhelpful error message late in the installation.
>>
>> I tried signing the request using xca but pkispawn choked on the result; I'll
>> try to write a reproducer script using command-line tools.
>>
>> Attached is a script (based on the external ca integration test) that
>> reproduces the same IndexError as mentioned in the ticket. (If necessary,
>> adjust the IP addresses, hostnames, etc. to fit your environment.)
>> The difference from a working script is that extensions aren't added to the IPA
>> cert when it's signed.
>
> This is a very good finding. If Jan's patch fixes the reported problem, let us
> push it.
Pushed to:
master: 359dfe58b94079e1e16f4fb8960eb29b251f2cbc
ipa-4-1: 359dfe58b94079e1e16f4fb8960eb29b251f2cbc
ipa-4-0: 7c03ef0e727ca44ce1228e9896079a1d02227e14
> But the missing validation should be fixed too. Can you please extend
> https://fedorahosted.org/freeipa/ticket/4480
> that is (will be) planned for 4.1 and attach your script as well so that we can
> improve the usability by both accepting more certificate types and validation?
Comment added.
--
Petr³
More information about the Freeipa-devel
mailing list