From 13d2416e2944a170a5fd169043de44b3b91cf971 Mon Sep 17 00:00:00 2001 From: Michael Friedrich Date: Thu, 27 Feb 2020 12:29:44 +0100 Subject: [PATCH] Fix regression from JsonRPC PKI CA verification checks refs #7835 --- lib/remote/jsonrpcconnection-pki.cpp | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/lib/remote/jsonrpcconnection-pki.cpp b/lib/remote/jsonrpcconnection-pki.cpp index 4f9938091..776043843 100644 --- a/lib/remote/jsonrpcconnection-pki.cpp +++ b/lib/remote/jsonrpcconnection-pki.cpp @@ -203,12 +203,14 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona * this ensures that the CA we have in /var/lib/icinga2/ca matches the one * we're using for cluster connections (there's no point in sending a client * a certificate it wouldn't be able to use to connect to us anyway) */ - if (!signedByCA) { - Log(LogWarning, "JsonRpcConnection") - << "The CA in '" << listener->GetDefaultCaPath() << "' does not match the CA which Icinga uses " - << "for its own cluster connections. This is most likely a configuration problem."; - goto delayed_request; - } + try { + if (!VerifyCertificate(cacert, newcert)) { + Log(LogWarning, "JsonRpcConnection") + << "The CA in '" << listener->GetDefaultCaPath() << "' does not match the CA which Icinga uses " + << "for its own cluster connections. This is most likely a configuration problem."; + goto delayed_request; + } + } catch (const std::exception&) { } /* Swallow the exception on purpose, cacert will never be a non-CA certificate. */ /* Send the signed certificate update. */ Log(LogInformation, "JsonRpcConnection")