|
 |
ad1545 |
From 086611271c4dfbbf47e76e666142327bf950a9ca Mon Sep 17 00:00:00 2001
|
|
|
ad1545 |
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
ad1545 |
Date: Mon, 26 Nov 2018 14:15:12 +0100
|
|
|
ad1545 |
Subject: [PATCH] ipa upgrade: handle double-encoded certificates
|
|
|
ad1545 |
|
|
|
ad1545 |
Issue is linked to the ticket
|
|
|
ad1545 |
#3477 LDAP upload CA cert sometimes double-encodes the value
|
|
|
ad1545 |
In old FreeIPA releases (< 3.2), the upgrade plugin was encoding twice
|
|
|
ad1545 |
the value of the certificate in cn=cacert,cn=ipa,cn=etc,$BASEDN.
|
|
|
ad1545 |
|
|
|
ad1545 |
The fix for 3477 is only partial as it prevents double-encoding when a
|
|
|
ad1545 |
new cert is uploaded but does not fix wrong values already present in LDAP.
|
|
|
ad1545 |
|
|
|
ad1545 |
With this commit, the code first tries to read a der cert. If it fails,
|
|
|
ad1545 |
it logs a debug message and re-writes the value caCertificate;binary
|
|
|
ad1545 |
to repair the entry.
|
|
|
ad1545 |
|
|
|
ad1545 |
Fixes https://pagure.io/freeipa/issue/7775
|
|
|
ad1545 |
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
ad1545 |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
ad1545 |
---
|
|
|
ad1545 |
ipaserver/install/plugins/upload_cacrt.py | 13 ++++++++++++-
|
|
|
ad1545 |
1 file changed, 12 insertions(+), 1 deletion(-)
|
|
|
ad1545 |
|
|
|
ad1545 |
diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py
|
|
|
ad1545 |
index 68d43caa76eb67093745658d20a39700adbd16c6..dc58f0863182ccb92d9fed6aa5f1c2546404b598 100644
|
|
|
ad1545 |
--- a/ipaserver/install/plugins/upload_cacrt.py
|
|
|
ad1545 |
+++ b/ipaserver/install/plugins/upload_cacrt.py
|
|
|
ad1545 |
@@ -115,7 +115,18 @@ class update_upload_cacrt(Updater):
|
|
|
ad1545 |
entry.single_value['cACertificate;binary'] = ca_cert
|
|
|
ad1545 |
ldap.add_entry(entry)
|
|
|
ad1545 |
else:
|
|
|
ad1545 |
- if b'' in entry['cACertificate;binary']:
|
|
|
ad1545 |
+ force_write = False
|
|
|
ad1545 |
+ try:
|
|
|
ad1545 |
+ _cert_bin = entry['cACertificate;binary']
|
|
|
ad1545 |
+ except ValueError:
|
|
|
ad1545 |
+ # BZ 1644874
|
|
|
ad1545 |
+ # sometimes the cert is badly stored, twice encoded
|
|
|
ad1545 |
+ # force write to fix the value
|
|
|
ad1545 |
+ logger.debug('Fixing the value of cACertificate;binary '
|
|
|
ad1545 |
+ 'in entry %s', entry.dn)
|
|
|
ad1545 |
+ force_write = True
|
|
|
ad1545 |
+
|
|
|
ad1545 |
+ if force_write or b'' in entry['cACertificate;binary']:
|
|
|
ad1545 |
entry.single_value['cACertificate;binary'] = ca_cert
|
|
|
ad1545 |
ldap.update_entry(entry)
|
|
|
ad1545 |
|
|
|
ad1545 |
--
|
|
|
ad1545 |
2.17.2
|
|
|
ad1545 |
|