I'm using ipa-server-2.1.3-9.el6.x86_64 in centog 6.2.
I'm trying to setup the dovecot SSL part. I followed the documentation and created the csr file (actually, in many ways...), but any csr I tried returns a:
ipa: ERROR: Certificate operation cannot be completed: Issuer "CN=Certificate Authority,DC=xxxxx,DC=yy" does not match the expected issuer
I tried to change the csr subject in many ways, but the error remains. I have found no informations in the documentation, or even in Google... The only non-standard thing that I've done during the installation is using "--subject" in ipa-server-install.
P.S.: my apologies, my english is alpha version...
sorry... centog = centos
You can determine the subject base with:
$ ipa config-show | grep Subject
Try with this value.
The result, as expected, is (in the example) dc=xxxxx,dc=yy.
Maybe can help to know the fact that the server for which I'm creating the certificate is the same as the main IPA server.
But, again, nowhere in the docs is written that there are limitation in csr creation.
This is a bug. It is enforcing that the subject base be the same as the Kerberos realm, not the configured subject base in ipalib/x509.py::verify_cert_subject
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=802912
master: 6d5555eb54cdbe19d4f2f05a340b9ea7ccf2369f
ipa-2-2: 5babb36
The master commit is bd440d5
Metadata Update from @gturchi: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/03
Login to comment on this ticket.