Even though IPA certificates point to MasterCRL.bin in plain http protocol, it is automatically redirected to https even though the CRL is signed. This will cause certificate verification problem when the CA signing the SSL certificate is not trusted:
# openssl x509 -text -in /tmp/cert Certificate: Data: Version: 3 (0x2) Serial Number: 12 (0xc) Signature Algorithm: sha256WithRSAEncryption Issuer: O=IDM.LAB.BOS.REDHAT.COM, CN=Certificate Authority Validity Not Before: Jun 13 18:20:03 2013 GMT Not After : Jun 14 18:20:03 2015 GMT Subject: O=IDM.LAB.BOS.REDHAT.COM, CN=testcert.example.com ... Authority Information Access: OCSP - URI:http://ipa-ca.idm.lab.bos.redhat.com/ca/ocsp X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: Full Name: URI:http://ipa-ca.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin CRL Issuer: DirName: O = ipaca, CN = Certificate Authority X509v3 Subject Key Identifier: CE:3B:23:0A:AA:5A:18:FF:47:F7:48:C7:81:A8:24:3D:1E:23:05:70 ... # wget http://ipa-ca.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin --2013-06-13 15:19:10-- http://ipa-ca.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin Resolving ipa-ca.idm.lab.bos.redhat.com (ipa-ca.idm.lab.bos.redhat.com)... 10.16.78.119 Connecting to ipa-ca.idm.lab.bos.redhat.com (ipa-ca.idm.lab.bos.redhat.com)|10.16.78.119|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: http://vm-119.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin [following] --2013-06-13 15:19:10-- http://vm-119.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin Resolving vm-119.idm.lab.bos.redhat.com (vm-119.idm.lab.bos.redhat.com)... 10.16.78.119 Reusing existing connection to ipa-ca.idm.lab.bos.redhat.com:80. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://vm-119.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin [following] --2013-06-13 15:19:10-- https://vm-119.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin Connecting to vm-119.idm.lab.bos.redhat.com (vm-119.idm.lab.bos.redhat.com)|10.16.78.119|:443... connected. ERROR: cannot verify vm-119.idm.lab.bos.redhat.com's certificate, issued by ‘/O=IDM.LAB.BOS.REDHAT.COM/CN=Certificate Authority’: Self-signed certificate encountered. To connect to vm-119.idm.lab.bos.redhat.com insecurely, use `--no-check-certificate'.
Related upstream tickets: #3547, #3552
master: 6118b73[[BR]] ipa-3-2: 020b4a7
Metadata Update from @mkosek: - Issue assigned to tbabej - Issue set to the milestone: FreeIPA 3.2.x - 2013/06 (bug fixing)
Login to comment on this ticket.