URL:
https://github.com/freeipa/freeipa/pull/2618
Author: flo-renaud
Title: #2618: ipa upgrade: handle double-encoded certificates
Action: opened
PR body:
"""
## ipa upgrade: handle double-encoded certificates
Issue is linked to the ticket #3477 LDAP upload CA cert sometimes double-encodes the
value
In old FreeIPA releases (< 3.2), the upgrade plugin was encoding twice the value of the
certificate in `cn=cacert,cn=ipa,cn=etc,$BASEDN`.
The fix for 3477 is only partial as it prevents double-encoding when a new cert is
uploaded but does not fix wrong values already present in LDAP.
With this commit, the code first tries to read a der cert. If it fails, it logs a debug
message and re-writes the value caCertificate;binary to repair the entry.
Fixes
https://pagure.io/freeipa/issue/7775
## ipatests: add upgrade test for double-encoded cacert
Create a test for upgrade with the following scenario:
- install master
- write a double-encoded cert in the entry `cn=cacert,,cn=ipa,cn=etc,$basedn` to simulate
bug 7775
- call ipa-server-upgrade
- check that the upgrade fixed the value
The upgrade should finish successfully and repair the double-encoded cert.
Related to
https://pagure.io/freeipa/issue/7775
"""
To pull the PR as Git branch:
git remote add ghfreeipa
https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2618/head:pr2618
git checkout pr2618