In both a self-sign and dogtag CA request-cert is not working:
$ ipa cert-request --add --principal test/rawhide.greyoak.com db/rawhide.csr ipa: ERROR: cert validation failed for "CN=rawhide.greyoak.com,O=GREYOAK.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) ipa: ERROR: cannot connect to u'http://rawhide.greyoak.com/ipa/xml': [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user. $ ipa user-show admin User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash UID: 1206400000 GID: 1206400000 Account disabled: False Password: True Member of groups: admins Kerberos keys available: True
This doesn't seem to have anything to do with the backend. Creating a replica (with generates certs) still works.
This is related to the patch to fix the client installer where we set no_init if the NSS database has already been initialized. The path seems to be the same for user-show and cert-request but with cert-request we load a CSR file.
In pkcs10.py we initialize NSS with no db to load the CSR for validation. This wasn't being shut down and no_init was being set to True because we were setting dbdir too early in the connection so nss.nss_shutdown() wasn't being called.
With that not called NSS works but doesn't have the CA hence the untrusted error.
attachment freeipa-rcrit-982-noinit.patch
This failed on a standalone IPA server with:
$ mkdir db $ certutil -N -d db (I'm lazy, set no password) $ certutil -R -s CN=fqdn.example.com,O=EXAMPLE.COM' -d db -a > db/fqdn.csr $ ipa cert-request --add --principal=test/fqdn.example.com db/fqdn.csr FAIL with an untrusted CA error
Martin reported that this worked for him. You can also verify the fix by modifying ipalib/rpc.py. I stuck in a pdb trace into __nss_initialized() and saw that it was being called for the first request too so was always comparing itself to itself and therefore nss_shutdown() was never called.
master: 17ba58a
ipa-2-2: e6d997a
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=804128 (Red Hat Enterprise Linux 6)
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/03
Login to comment on this ticket.