From 1ba397e783988aaf12a8714e639f5ff8817608a7 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Thu, 10 Nov 2022 16:09:26 +0100
Subject: [PATCH] ipaclient_setup_nss: Fix undefined ca_certs for
NoCertificateError case
In case get_certs_from_ldap failed with errors.NoCertificateError the
code lead to a trace back as certstore.make_compat_ca_certs was using
with undefined ca_certs variable.
The code to generate ca_certs for this case was copied over from
ipaclient_api. This is loading the certificate list from paths.IPA_CA_CRT.
---
roles/ipaclient/library/ipaclient_setup_nss.py | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/roles/ipaclient/library/ipaclient_setup_nss.py b/roles/ipaclient/library/ipaclient_setup_nss.py
index 7fc466ce..be00347e 100644
--- a/roles/ipaclient/library/ipaclient_setup_nss.py
+++ b/roles/ipaclient/library/ipaclient_setup_nss.py
@@ -150,7 +150,8 @@ from ansible.module_utils.ansible_ipa_client import (
get_certs_from_ldap, DN, certstore, x509, logger, certdb,
CalledProcessError, tasks, client_dns, configure_certmonger, services,
update_ssh_keys, save_state, configure_ldap_conf, configure_nslcd_conf,
- configure_openldap_conf, hardcode_ldap_server, getargspec
+ configure_openldap_conf, hardcode_ldap_server, getargspec, NUM_VERSION,
+ serialization
)
@@ -271,6 +272,17 @@ def main():
ca_subject = DN(('CN', 'Certificate Authority'), subject_base)
else:
ca_subject = None
+
+ # Set ca_certs
+ # Copied from ipaclient_api
+ ca_certs = x509.load_certificate_list_from_file(paths.IPA_CA_CRT)
+ if 40500 <= NUM_VERSION < 40590:
+ ca_certs = [cert.public_bytes(serialization.Encoding.DER)
+ for cert in ca_certs]
+ elif NUM_VERSION < 40500:
+ ca_certs = [cert.der_data for cert in ca_certs]
+ # Copied from ipaclient_api
+
ca_certs = certstore.make_compat_ca_certs(ca_certs, cli_realm,
ca_subject)
ca_certs_trust = [(c, n,
--
GitLab