Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1131907
jcholast's assessment:
Looking at the upgrade log, I can see the empty certificate got into LDAP during the upgrade, in the upload_cacrt update plugin. The plugin should have looked for a certificate named "$REALM IPA CA" (which you can see in the certutil output in comment 13), but it looked for "$REALM Certificate Authority" instead. Ever since upload_cacrt was introduced, "$REALM Certificate Authority" is not used anywhere in the related code, so I can only guess there was some mixup with code from the IPA version the server was upgraded from.
Can be fixed by checking for the empty value in the upload_cacrt update plugin.
So far, this was only reproduced ones on a very old FreeIPA instance. Moving to future milestone. If it reproduces again, we should bump the priority.
However, patches are welcome!
master:
ipa-4-1:
Metadata Update from @mkosek: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.1.4
Login to comment on this ticket.