diff --git a/SOURCES/0066-Convert-external-CA-chain-to-PKCS-7-before-passing-i.patch b/SOURCES/0066-Convert-external-CA-chain-to-PKCS-7-before-passing-i.patch
new file mode 100644
index 0000000..09ecea3
--- /dev/null
+++ b/SOURCES/0066-Convert-external-CA-chain-to-PKCS-7-before-passing-i.patch
@@ -0,0 +1,86 @@
+From 15c68b5ab6441a443f0a135da2b553ee1f9cbcf9 Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Fri, 8 Aug 2014 10:15:26 +0200
+Subject: [PATCH] Convert external CA chain to PKCS#7 before passing it to
+ pkispawn.
+
+https://fedorahosted.org/freeipa/ticket/4397
+---
+ install/tools/ipa-server-install | 6 +++---
+ install/tools/man/ipa-server-install.1 | 10 +++++++---
+ ipaserver/install/cainstance.py | 13 ++++++++++++-
+ 3 files changed, 22 insertions(+), 7 deletions(-)
+
+diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
+index dfbbb91bf3bb8461333193b5a3e72c3ec06d4582..feea616b089261bf46392d5514e6e3cc9e12fcac 100755
+--- a/install/tools/ipa-server-install
++++ b/install/tools/ipa-server-install
+@@ -174,11 +174,11 @@ def parse_options():
+
+ cert_group = OptionGroup(parser, "certificate system options")
+ cert_group.add_option("", "--external-ca", dest="external_ca", action="store_true",
+- default=False, help="Generate a CSR to be signed by an external CA")
++ default=False, help="Generate a CSR for the IPA CA certificate to be signed by an external CA")
+ cert_group.add_option("", "--external_cert_file", dest="external_cert_file",
+- help="PEM file containing a certificate signed by the external CA")
++ help="File containing the IPA CA certificate signed by the external CA in PEM format")
+ cert_group.add_option("", "--external_ca_file", dest="external_ca_file",
+- help="PEM file containing the external CA chain")
++ help="File containing the external CA certificate chain in PEM format")
+ cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
+ default=True, help="disables pkinit setup steps")
+ cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12",
+diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
+index 4adf1d037517bb211bd4c5e5e915380777e8f337..d713d2db4cb863dff77e451b22c5a9b1fbbfeecd 100644
+--- a/install/tools/man/ipa-server-install.1
++++ b/install/tools/man/ipa-server-install.1
+@@ -85,13 +85,17 @@ An unattended installation that will never prompt for user input
+ .SS "CERTIFICATE SYSTEM OPTIONS"
+ .TP
+ \fB\-\-external\-ca\fR
+-Generate a CSR to be signed by an external CA
++Generate a CSR for the IPA CA certificate to be signed by an external CA.
+ .TP
+ \fB\-\-external_cert_file\fR=\fIFILE\fR
+-PEM file containing a certificate signed by the external CA. Must be given with \-\-external_ca_file.
++File containing the IPA CA certificate signed by the external CA in PEM format. Must be given with \-\-external_ca_file.
+ .TP
+ \fB\-\-external_ca_file\fR=\fIFILE\fR
+-PEM file containing the external CA chain
++File containing the external CA certificate chain in PEM format. Must be given with \-\-external_cert_file.
++
++If the CA certificate chain is in PKCS#7 format you can convert it to PEM using:
++
++ openssl pkcs7 -in PKCS7_FILE -print_certs -out PEM_FILE
+ .TP
+ \fB\-\-no\-pkinit\fR
+ Disables pkinit setup steps
+diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
+index 126bbae66e8a9ae8d9cc6e624745ab1cc37bf4c1..233fa5d95fb7068b22a1c3daaed89176ff14a380 100644
+--- a/ipaserver/install/cainstance.py
++++ b/ipaserver/install/cainstance.py
+@@ -578,9 +578,20 @@ def __spawn_instance(self):
+ config.set("CA", "pki_external_csr_path", self.csr_file)
+
+ elif self.external == 2:
++ cert_chain, stderr, rc = ipautil.run(
++ ['/usr/bin/openssl', 'crl2pkcs7',
++ '-certfile', self.cert_chain_file,
++ '-nocrl'])
++ # Dogtag chokes on the header and footer, remove them
++ # https://bugzilla.redhat.com/show_bug.cgi?id=1127838
++ cert_chain = re.search(
++ r'(?<=-----BEGIN PKCS7-----).*?(?=-----END PKCS7-----)',
++ cert_chain, re.DOTALL).group(0)
++ cert_chain_file = ipautil.write_tmp_file(cert_chain)
++
+ config.set("CA", "pki_external", "True")
+ config.set("CA", "pki_external_ca_cert_path", self.cert_file)
+- config.set("CA", "pki_external_ca_cert_chain_path", self.cert_chain_file)
++ config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name)
+ config.set("CA", "pki_external_step_two", "True")
+
+ # Generate configuration file
+--
+1.9.3
+
diff --git a/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch b/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch
index 53301a0..c650b25 100644
--- a/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch
+++ b/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch
@@ -1,7 +1,7 @@
-From 7b9f8b3ba5c2768879906227e4f526b2675337ea Mon Sep 17 00:00:00 2001
+From ebaad372cdeb941af1a390f81c8a4d90ea128f9f Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
-Date: Wed, 22 May 2013 09:38:50 +0200
-Subject: [PATCH 1001/1006] Hide pkinit functionality from production version
+Date: Thu, 14 Aug 2014 13:34:13 +0200
+Subject: [PATCH] Hide pkinit functionality from production version
Rebased from original patch from Jan Zeleny and Rob Crittenden.
@@ -13,10 +13,10 @@ https://fedorahosted.org/freeipa/ticket/616
3 files changed, 10 insertions(+), 16 deletions(-)
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
-index 79f8a7ab48f75ac2d9cd5149df6eda4784b3854a..36bf492946d5e4873827d7d3149be659447065aa 100755
+index 4418b41784313121e73b560ee84715ddeba8bc54..ff4cd70147abb2dc6e0486155fb179d4fb1b29e9 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
-@@ -96,8 +96,6 @@ def parse_options():
+@@ -95,8 +95,6 @@ def parse_options():
parser.add_option_group(basic_group)
cert_group = OptionGroup(parser, "certificate system options")
@@ -25,7 +25,7 @@ index 79f8a7ab48f75ac2d9cd5149df6eda4784b3854a..36bf492946d5e4873827d7d3149be659
cert_group.add_option("--skip-schema-check", dest="skip_schema_check", action="store_true",
default=False, help="skip check for updated CA DS schema on the remote master")
parser.add_option_group(cert_group)
-@@ -122,6 +120,9 @@ def parse_options():
+@@ -121,6 +119,9 @@ def parse_options():
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
@@ -36,13 +36,13 @@ index 79f8a7ab48f75ac2d9cd5149df6eda4784b3854a..36bf492946d5e4873827d7d3149be659
parser.error("you must provide a file generated by ipa-replica-prepare")
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
-index fafa14ea18195546b160c175d7fd656a066327b5..00aed1953f58c7f7c6a3c9bae8dcab8b8a669b62 100755
+index feea616b089261bf46392d5514e6e3cc9e12fcac..5bd22bf18f2b00e26d674b6cbbf81989b4a030cb 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
-@@ -173,20 +173,14 @@ def parse_options():
- help="PEM file containing a certificate signed by the external CA")
+@@ -179,20 +179,14 @@ def parse_options():
+ help="File containing the IPA CA certificate signed by the external CA in PEM format")
cert_group.add_option("", "--external_ca_file", dest="external_ca_file",
- help="PEM file containing the external CA chain")
+ help="File containing the external CA certificate chain in PEM format")
- cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
- default=True, help="disables pkinit setup steps")
cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12",
@@ -60,7 +60,7 @@ index fafa14ea18195546b160c175d7fd656a066327b5..00aed1953f58c7f7c6a3c9bae8dcab8b
cert_group.add_option("--root-ca-file", dest="root_ca_file",
help="PEM file with root CA certificate(s) to trust")
cert_group.add_option("--subject", action="callback", callback=subject_callback,
-@@ -236,6 +230,10 @@ def parse_options():
+@@ -229,6 +223,10 @@ def parse_options():
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
@@ -72,10 +72,10 @@ index fafa14ea18195546b160c175d7fd656a066327b5..00aed1953f58c7f7c6a3c9bae8dcab8b
try:
validate_dm_password(options.dm_password)
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
-index 83bf2b28c370c77c5e901dfd0627ea7140b4cf0a..606c3e607682d3dca8d31ed25cce006b17683f51 100644
+index 36d078a6b73562cb0047154f4bb7666ab25687b8..a3b89a8a739c6082aa7117cea470e2a9d8dba7f9 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
-@@ -57,9 +57,6 @@ def add_options(cls, parser):
+@@ -56,9 +56,6 @@ def add_options(cls, parser):
parser.add_option("--no-reverse", dest="no_reverse",
action="store_true", default=False,
help="do not create reverse DNS zone")
@@ -85,7 +85,7 @@ index 83bf2b28c370c77c5e901dfd0627ea7140b4cf0a..606c3e607682d3dca8d31ed25cce006b
parser.add_option("--ca", dest="ca_file", default="/root/cacert.p12",
metavar="FILE",
help="location of CA PKCS#12 file, default /root/cacert.p12")
-@@ -72,15 +69,10 @@ def add_options(cls, parser):
+@@ -71,15 +68,10 @@ def add_options(cls, parser):
group.add_option("--http_pkcs12", dest="http_pkcs12",
metavar="FILE",
help="install certificate for the http server")
@@ -101,7 +101,7 @@ index 83bf2b28c370c77c5e901dfd0627ea7140b4cf0a..606c3e607682d3dca8d31ed25cce006b
parser.add_option_group(group)
def validate_options(self):
-@@ -100,7 +92,10 @@ def validate_options(self):
+@@ -99,7 +91,10 @@ def validate_options(self):
"option together with --no-reverse")
#Automatically disable pkinit w/ dogtag until that is supported
@@ -113,5 +113,5 @@ index 83bf2b28c370c77c5e901dfd0627ea7140b4cf0a..606c3e607682d3dca8d31ed25cce006b
# If any of the PKCS#12 options are selected, all are required.
pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12)
--
-1.8.3.1
+1.9.3
diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch
deleted file mode 100644
index 33b4609..0000000
--- a/SOURCES/ipa-centos-branding.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -uNrp freeipa-3.3.3.orig/ipaserver/install/ntpinstance.py freeipa-3.3.3/ipaserver/install/ntpinstance.py
---- freeipa-3.3.3.orig/ipaserver/install/ntpinstance.py 2013-11-01 10:34:30.000000000 -0500
-+++ freeipa-3.3.3/ipaserver/install/ntpinstance.py 2014-06-26 07:27:19.644718099 -0500
-@@ -43,6 +43,8 @@ class NTPInstance(service.Service):
- os = ""
- if ipautil.file_exists("/etc/fedora-release"):
- os = "fedora"
-+ elif ipautil.file_exists("/etc/centos-release"):
-+ os = "centos"
- elif ipautil.file_exists("/etc/redhat-release"):
- os = "rhel"
-
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index a98a578..ae37d92 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -18,7 +18,7 @@
Name: ipa
Version: 3.3.3
-Release: 28%{?dist}
+Release: 28%{?dist}.1
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -93,6 +93,7 @@ Patch0062: 0062-Prohibit-deletion-of-active-subdomain-range.patch
Patch0063: 0063-extdom-do-not-return-results-from-the-wrong-domain.patch
Patch0064: 0064-Proxy-PKI-clone-ca-ee-ca-profileSubmit-URI.patch
Patch0065: 0065-Make-ipa-client-automount-backwards-compatible.patch
+Patch0066: 0066-Convert-external-CA-chain-to-PKCS-7-before-passing-i.patch
Patch1001: 1001-Hide-pkinit-functionality-from-production-version.patch
Patch1002: 1002-Remove-pkinit-plugin.patch
@@ -102,8 +103,6 @@ Patch1005: 1005-Remove-pylint-from-build-process.patch
Patch1006: 1006-Remove-i18test-from-build-process.patch
Patch1007: 1007-Remove-ipa-backup-and-ipa-restore-functionality.patch
-Patch9999: ipa-centos-branding.patch
-
%if ! %{ONLY_CLIENT}
BuildRequires: 389-ds-base-devel >= 1.3.1
BuildRequires: svrcore-devel
@@ -150,6 +149,7 @@ BuildRequires: check
BuildRequires: libsss_idmap-devel
BuildRequires: libsss_nss_idmap-devel
BuildRequires: java-1.7.0-openjdk
+BuildRequires: rhino
BuildRequires: libverto-devel
BuildRequires: systemd
BuildRequires: libunistring-devel
@@ -208,6 +208,9 @@ Requires: selinux-policy >= 3.12.1-65
Requires(post): selinux-policy-base
Requires: slapi-nis >= 0.47.7
Requires: pki-ca >= 10.0.4
+%if 0%{?rhel}
+Requires: subscription-manager
+%endif
Requires(preun): python systemd-units
Requires(postun): python systemd-units
Requires: python-dns
@@ -843,8 +846,10 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%changelog
-* Thu Jun 26 2014 Johnny Hughes <johnny@centos.org> - 3.3.3-28.el7.centos
-- Roll in CentOS Branding
+* Thu Aug 14 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-28.1
+- Server installation fails using external signed certificates with
+ "IndexError: list index out of range" (#1130031)
+- Add rhino to BuildRequires to fix Web UI build error
* Tue Apr 1 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-28
- ipa-client-automount fails with incompatibility error when installed against