freeipa

Clone
Source Code
GIT

cdd41e0 Ensure correct IPA CA nickname in DS and HTTP NSSDBs

2 files Authored by ftweedal 7 years ago, Committed by jcholast 7 years ago,
raw patch tree parent
2 files changed. 2 lines added. 2 lines removed.
ipaserver/install/dsinstance.py
file modified
+1 -1
ipaserver/install/server/replicainstall.py
file modified
+1 -1 
    Ensure correct IPA CA nickname in DS and HTTP NSSDBs
    
    During replica installation, if the IPA deployment has a custom
    subject_base, the routines that create the DS and HTTP NSSDBs
    erroneously compare the subject of CA certs to the *default* subject
    base. This causes the IPA CA cert to be added to the NSSDBs with a
    nickname derived from the subject name, instead of "{REALM} IPA CA".
    
    At a later stage of installation, the `upload_cacrt` plugin reads
    certs from the HTTP NSSDB in order to update the cn=certificates
    LDAP certstore.  The NSSDB nickname of the cert is used as the CN
    for the entry.  Because the IPA CA cert was not installed in the
    HTTP NSSDB with the "{REALM} IPA CA", this causes a spurious entry
    for the IPA CA to be added to the certstore.
    
    To avoid this scenario, use the deployment's actual subject base
    when deciding if a cert is the IPA CA cert.
    
    Fixes: https://fedorahosted.org/freeipa/ticket/6415
    Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
file modified
+1 -1
file modified
+1 -1
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.