ipaserver/install/certs.py::list_certs has a comment in a very old function, from July 2009:
Finally found something that broke it, even without certutil changing.
If the nickname is too long then the parsing will fail.
Here is what certutil -L looks like:
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ABC Internal Intermediate CA CT,, ABC Internal Root CA CT,, areallyquitelong.hostname.example.com - ABC Internal Certificate Services u,u,u ABC Internal Issuing Test CA CT,,
This was worked around by setting a friendly name in the importing PKCS#12 file, but this just shows how fragile this is. There has to be a better way.
With such a nickname the server installation with PKCS#12 files will fail with:
no server certificate found in /root/cert-bundle.pk12
As per jcholast's evaluation, this should be just a regex update.
master:
ipa-4-1:
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=886645 (Red Hat Enterprise Linux 7)
IFAIK the only reason why this ticket is still open is that the reviewer asked for tests. Shouldn't we instead open a new ticket for tests and close this one?
Right. See #4589.
I'm bumping up against this in ipa 3.3.3 in EL7. Would be nice if it could get backported (which seems quite simple).
Replying to [comment:8 orion]:
Please check EL 7.1 beta.
Metadata Update from @rcritten: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.1
Login to comment on this ticket.