summaryrefslogtreecommitdiffstats
path: root/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py')
-rw-r--r--src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py20
1 files changed, 11 insertions, 9 deletions
diff --git a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py
index 698203a87..288c86d74 100644
--- a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py
+++ b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py
@@ -171,10 +171,7 @@ class CfgSSLCACertCreator(XMLCfgCreator, CfgVerifier):
os.fdopen(fd, 'w').write(data)
cert = self.XMLMatch(metadata).find("Cert")
try:
- if cert.get('self_sign', 'false') != 'true':
- ca = self.get_ca(cert.get('ca', 'default'))
- if ca.get('chaincert'):
- self.verify_cert_against_ca(fname, entry, metadata)
+ self.verify_cert_against_ca(fname, entry, metadata)
self.verify_cert_against_key(fname,
self._get_keyfile(cert, metadata))
finally:
@@ -218,12 +215,17 @@ class CfgSSLCACertCreator(XMLCfgCreator, CfgVerifier):
and that it has not expired.
"""
cert = self.XMLMatch(metadata).find("Cert")
- ca = self.get_ca(cert.get("ca", "default"))
- chaincert = ca.get('chaincert')
cmd = ["openssl", "verify"]
- if not ca.get('root_ca', False):
- cmd.append("-partial_chain")
- cmd.extend(["-trusted", chaincert, filename])
+ trusted = filename
+ if cert.get('self_sign', 'false') != 'true':
+ ca = self.get_ca(cert.get("ca", "default"))
+ chaincert = ca.get('chaincert')
+ if chaincert is not None:
+ trusted = chaincert
+ if not ca.get('root_ca', False):
+ cmd.append("-partial_chain")
+ cmd.extend(["-trusted", trusted, filename])
+
self.debug_log("Cfg: Verifying %s against CA" % entry.get("name"))
result = self.cmd.run(cmd)
if result.stdout == filename + ": OK\n":
generated by cgit v1.2.3-1-g7c22 (git 2.25.1) at 2024-06-02 06:06:41 +0000