URL:
https://github.com/freeipa/freeipa/pull/4343
Author: fcami
Title: #4343: certstore.get_ca_certs(): order CA certs
Action: opened
PR body:
"""
Currently, get_ca_certs() returns a non-ordered list of CA
certificates. ipa-certupdate then writes that list to ca.crt.
However, ldapsearch and other tools expect the first certificate
in ca.crt to be valid. This is not the case if the first
cACertificate attribute contains an expired certificate.
get_ca_certs() will now insert in front of the list the current
certificates, and append the ones which are either not yet valid
or not valid anymore, making sure the first certificate in front
of the list is current.
Fixes:
https://pagure.io/freeipa/issue/8223
Signed-off-by: François Cami <fcami(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa
https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4343/head:pr4343
git checkout pr4343