Issue #4300: CA-less does not upload CA certificate correctly - freeipa

freeipa

#4300 CA-less does not upload CA certificate correctly

Closed: Fixed None Opened 10 years ago by mkosek.

In a build from current master branch, CA-less installation does not work correctly and uploads an invalid certificate to cn=CAcert,cn=ipa,cn=etc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com:

# ipa-server-install -U --setup-dns --forwarder=10.34.47.2 --reverse-zone=47.34.10.in-addr.arpa. -p Secret123 -a Secret123 -r  IDM.LAB.ENG.BRQ.REDHAT.COM -n idm.lab.eng.brq.redhat.com --http_pkcs12 /home/mkosek/STAR.idm.lab.eng.brq.redhat.com.p12 --dirsrv_pkcs12 /home/mkosek/STAR.idm.lab.eng.brq.redhat.com.p12 --http_pin 12345678 --dirsrv_pin 12345678 --root-ca-file /home/mkosek/caless-external-ca.crt



# ldapsearch -h `hostname` -D "cn=Directory Manager" -x -w kokos123 -b "" -b 'cn=CAcert,cn=ipa,cn=etc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' cACertificate

# CAcert, ipa, etc, idm.lab.eng.brq.redhat.com
dn: cn=CAcert,cn=ipa,cn=etc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
cACertificate;binary:
...

/etc/ipa/ca.crt looks OK on the other hand:

# openssl x509 -in /etc/ipa/ca.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=Martinovo, CN=Certificate Authority
        Validity
            Not Before: Apr  1 07:55:54 2014 GMT
            Not After : Apr  1 07:55:54 2024 GMT
        Subject: O=Martinovo, CN=Certificate Authority
...
        X509v3 extensions:
            Netscape Cert Type: 
                SSL CA, S/MIME CA, Object Signing CA
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Certificate Sign
    Signature Algorithm: sha1WithRSAEncryption
...

mkosek commented 10 years ago

This causes a lot of CI errors, Honza please investigate.

mkosek commented 10 years ago

Starting review

mkosek commented 10 years ago

master:

915cd69 Fix upload of CA certificate to LDAP in CA-less install.

Metadata Update from @mkosek:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.0 - 2014/04

7 years ago

Metadata

Assignee

jcholast

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 4.0 - 2014/04

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

Installation

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

mkosek

external_tracker

None

rhbz

tester

None

changelog

None

design

None

freeipa

Source Code

#4300 CA-less does not upload CA certificate correctly Closed: Fixed None Opened 10 years ago by mkosek.

Metadata

#4300 CA-less does not upload CA certificate correctly

Closed: Fixed None Opened 10 years ago by mkosek.