Merge pull request #7862 from Icinga/bugfix/jsonrpc-pki-ca-check-regression

Fix regression from JsonRPC PKI CA verification checks
This commit is contained in:
Michael Friedrich 2020-02-27 16:33:32 +01:00 committed by GitHub
commit 2ea4970c48
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 6 deletions

View File

@ -203,12 +203,14 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona
* this ensures that the CA we have in /var/lib/icinga2/ca matches the one * this ensures that the CA we have in /var/lib/icinga2/ca matches the one
* we're using for cluster connections (there's no point in sending a client * we're using for cluster connections (there's no point in sending a client
* a certificate it wouldn't be able to use to connect to us anyway) */ * a certificate it wouldn't be able to use to connect to us anyway) */
if (!signedByCA) { try {
if (!VerifyCertificate(cacert, newcert)) {
Log(LogWarning, "JsonRpcConnection") Log(LogWarning, "JsonRpcConnection")
<< "The CA in '" << listener->GetDefaultCaPath() << "' does not match the CA which Icinga uses " << "The CA in '" << listener->GetDefaultCaPath() << "' does not match the CA which Icinga uses "
<< "for its own cluster connections. This is most likely a configuration problem."; << "for its own cluster connections. This is most likely a configuration problem.";
goto delayed_request; goto delayed_request;
} }
} catch (const std::exception&) { } /* Swallow the exception on purpose, cacert will never be a non-CA certificate. */
/* Send the signed certificate update. */ /* Send the signed certificate update. */
Log(LogInformation, "JsonRpcConnection") Log(LogInformation, "JsonRpcConnection")