https://bugzilla.redhat.com/show_bug.cgi?id=747991
Description of problem: Version-Release number of selected component (if applicable): ipa-server-2.1.2-2.el6.x86_64 How reproducible: Always Steps to Reproduce: # ipa-server-install --external-ca # mkdir ipa-ca # cd ipa-ca/ # certutil -N -d . -f /root/pwdfile.txt # certutil -G -d . -z /root/noise.txt -f /root/pwdfile.txt # certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z /root/noise.txt -f /root/pwdfile.txt # certutil -C -m 2345 -i /root/ipa.csr -o ipacacert.crt -c "CA certificate" -d . -a -f /root/pwdfile.txt # certutil -A -n ipa-ca@redhat.com -t "u,u,u" -i ipacacert.crt -d . -a # certutil -L -d . -n "CA certificate" -a > cacert.asc # ls cacert.asc cert8.db ipacacert.crt ipacert.req key3.db secmod.db # ipa-server-install --external_cert_file=/root/ipa-ca/ipacacert.crt --external_ca_file=/root/ipa-ca/cacert.asc Actual results: ipa-server-install setup is completed successfully. However ipa commands fail. ipa user-find ipa: ERROR: cert validation failed for "CN=ratchet.lab.eng.pnq.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM" ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.) ipa: ERROR: cannot connect to u'https://ratchet.lab.eng.pnq.redhat.com/ipa/xml': [Errno -8179] (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized. Expected results: non-CA should not be allowed to be used as an external CA signer. Additional info: [root@ratchet alias]# certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CN=CAcert CT,C,C Server-Cert u,u,u LAB.ENG.PNQ.REDHAT.COM IPA CA CT,C,C ipaCert u,u,u Signing-Cert u,u,u [root@ratchet alias]#
Having a problem parsing the CA cert with python-nss to determine its status. Filed Fedora BZ https://bugzilla.redhat.com/show_bug.cgi?id=796293
Cloned Fedora python-nss bug to RHEL https://bugzilla.redhat.com/show_bug.cgi?id=796295
Start with cleaning python-nss.
Deprecate python-nss component.
External CA configuration tools and option validation were being addressed in #4480.
If you still reproduce the issue with FreeIPA 4.1 or later, please feel free to reopen the bug.
Metadata Update from @rcritten: - Issue assigned to jdennis - Issue set to the milestone: FreeIPA 4.1
Login to comment on this ticket.