I have ipa-server-3.0.0-25.el6.x86_64 on RHEL 6.4 and enrolled RHEL 6.4 client. I was debugging some certmonger issue and I wanted to check if the CA certificate used by the client matches the one on the server. So I run
# md5sum /etc/ipa/ca.crt
on both client and server and compared the hashes.
I panicked because they were not the same.
After a while I stopped panicking and run
# openssl x509 -text < /etc/ipa/ca.crt
and they seemed to be the same.
Long story short, on the client, the certificate does not have a trailing newline. On server it does. I believe it should have the newline on the client as well.
Is this patch what could be needed?
diff --git a/ipalib/x509.py b/ipalib/x509.py index dc5418e..b04d30f 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -169,7 +169,7 @@ def make_pem(data): pemcert = '\n'.join([data[x:x+64] for x in range(0, len(data), 64)]) return '-----BEGIN CERTIFICATE-----\n' + \ pemcert + \ - '\n-----END CERTIFICATE-----' + '\n-----END CERTIFICATE-----\n' def normalize_certificate(rawcert): """
I tested the patch and it does it's job, but it still does not make the cert identical. You would also have to change pemcert = '\n'.join([data[x:x+64] for x in range(0, len(data), 64)]) to pemcert = '\r\n'.join([data[x:x+64] for x in range(0, len(data), 64)]) to fix the new lines...
pemcert = '\n'.join([data[x:x+64] for x in range(0, len(data), 64)])
pemcert = '\r\n'.join([data[x:x+64] for x in range(0, len(data), 64)])
attachment freeipa-rga-0050-Fix-client-ca.crt-to-match-the-server-s-cert.patch
master:
Metadata Update from @adelton: - Issue assigned to rga - Issue set to the milestone: FreeIPA 4.3
Login to comment on this ticket.