From 5f1100e83146e898dca431d6cdaf62ab986e599d Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 9 Jun 2021 17:39:56 +0200
Subject: [PATCH] CA less installation: non ASCII chars in CA subject

In CA-less installation, ipa-server-install fails when the CA
certificate contains a subject with non ASCII characters.

ipa-server-install is internally calling ipautil.run(...)
to launch a certutil -n nickname command, and the nickname is
provided as a unicode instead of a string.

The fix  makes sure the nickname is provided as a utf-8
encoded string.

Fixes: https://pagure.io/freeipa/issue/8879

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipalib/install/certstore.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/install/certstore.py b/ipalib/install/certstore.py
index 8b182958c26e066eaeca859f451073c83e82bd67..4d406c0ce34cb1bdd39dcbac70eae4f6b0895cb5 100644
--- a/ipalib/install/certstore.py
+++ b/ipalib/install/certstore.py
@@ -294,7 +294,7 @@ def get_ca_certs(ldap, base_dn, compat_realm, compat_ipa_ca,
                         'cACertificate;binary'])
 
         for entry in result:
-            nickname = entry.single_value['cn']
+            nickname = entry.single_value['cn'].encode('utf-8')
             trusted = entry.single_value.get('ipaKeyTrust', 'unknown').lower()
             if trusted == 'trusted':
                 trusted = True
-- 
2.26.3