mirror of https://github.com/Icinga/icinga2.git
Merge pull request #7862 from Icinga/bugfix/jsonrpc-pki-ca-check-regression
Fix regression from JsonRPC PKI CA verification checks
This commit is contained in:
Michael Friedrich
GitHub
commit
2ea4970c48
|
|
@ -203,12 +203,14 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona
|
||||||
* this ensures that the CA we have in /var/lib/icinga2/ca matches the one
|
* this ensures that the CA we have in /var/lib/icinga2/ca matches the one
|
||||||
* we're using for cluster connections (there's no point in sending a client
|
* we're using for cluster connections (there's no point in sending a client
|
||||||
* a certificate it wouldn't be able to use to connect to us anyway) */
|
* a certificate it wouldn't be able to use to connect to us anyway) */
|
||||||
if (!signedByCA) {
|
try {
|
||||||
Log(LogWarning, "JsonRpcConnection")
|
if (!VerifyCertificate(cacert, newcert)) {
|
||||||
<< "The CA in '" << listener->GetDefaultCaPath() << "' does not match the CA which Icinga uses "
|
Log(LogWarning, "JsonRpcConnection")
|
||||||
<< "for its own cluster connections. This is most likely a configuration problem.";
|
<< "The CA in '" << listener->GetDefaultCaPath() << "' does not match the CA which Icinga uses "
|
||||||
goto delayed_request;
|
<< "for its own cluster connections. This is most likely a configuration problem.";
|
||||||
}
|
goto delayed_request;
|
||||||
|
}
|
||||||
|
} catch (const std::exception&) { } /* Swallow the exception on purpose, cacert will never be a non-CA certificate. */
|
||||||
|
|
||||||
/* Send the signed certificate update. */
|
/* Send the signed certificate update. */
|
||||||
Log(LogInformation, "JsonRpcConnection")
|
Log(LogInformation, "JsonRpcConnection")
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue