Fix pki_server_external_certs_path #4944
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Previously if the pki_server_pkcs12_path was not specified the external certs specified in pki_server_external_certs_path would not be imported either. This is incorrect since these parameters are unrelated. To address the issue the code that imports the external certs in PKIDeployer.import_server_pkcs12() has been moved into import_external_certs() which will always be invoked during installation. The update_external_certs_conf() has been merged into this method as well. The PKIInstance.load_external_certs() has been modified to add the external cert using add_external_cert() to avoid creating duplicate entries in the external_certs.conf. The PKIInstance.store_external_certs() has been modified to remove the external_certs.conf if it's empty. In the future the pki_server_external_certs_path param and the pki-server instance-externalcert-* commands might be deprecated and eventually removed since there are other ways to deal with external certs without having to maintain external_certs.conf.
The test for CA cloning with LDAPS connection has been updated to create a CA, add an external cert, clone the CA, remove and reinstall the clone, then remove the external cert.
|
|
@fmarco76 Thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously if the
pki_server_pkcs12_pathwas not specified the external certs specified inpki_server_external_certs_pathwould not be imported either. This is incorrect since these parameters are unrelated.To address the issue the code that imports the external certs in
PKIDeployer.import_server_pkcs12()has been moved intoimport_external_certs()which will always be invoked during installation. Theupdate_external_certs_conf()has been merged into this method as well.The
PKIInstance.load_external_certs()has been modified to add the external cert usingadd_external_cert()to avoid creating duplicate entries in theexternal_certs.conf.The
PKIInstance.store_external_certs()has been modified to remove theexternal_certs.confif it's empty.The test for CA cloning with LDAPS connection has been updated to create a CA, add an external cert, clone the CA, remove and reinstall the clone, then remove the external cert.
In the future the
pki_server_external_certs_pathparam and thepki-server instance-externalcert-*commands might be deprecated and eventually removed since there are other ways to deal with external certs without having to maintainexternal_certs.conf.