freeipa

Clone
Source Code
GIT

#4565 Upgrade sometimes does not upload certificate to LDAP
Closed: Fixed None Opened 9 years ago by mkosek.

Closed: Fixed
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1131907

jcholast's assessment:

Looking at the upgrade log, I can see the empty certificate got into LDAP during the upgrade, in the upload_cacrt update plugin. The plugin should have looked for a certificate named "$REALM IPA CA" (which you can see in the certutil output in comment 13), but it looked for "$REALM Certificate Authority" instead. Ever since upload_cacrt was introduced, "$REALM Certificate Authority" is not used anywhere in the related code, so I can only guess there was some mixup with code from the IPA version the server was upgraded from.

Can be fixed by checking for the empty value in the upload_cacrt update plugin.

So far, this was only reproduced ones on a very old FreeIPA instance. Moving to future milestone. If it reproduces again, we should bump the priority.

However, patches are welcome!

master:

  • 39e474e certstore: Make certificate retrieval more robust
  • 95a628c client-install: Do not crash on invalid CA certificate in LDAP
  • 572d68b client: Fix ca_is_enabled calls
  • fa50068 upload_cacrt: Fix empty cACertificate in cn=CAcert

ipa-4-1:

  • 4154c88 certstore: Make certificate retrieval more robust
  • ad77613 client-install: Do not crash on invalid CA certificate in LDAP
  • 6e67210 client: Fix ca_is_enabled calls
  • f0a49b9 upload_cacrt: Fix empty cACertificate in cn=CAcert

Metadata Update from @mkosek:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.1.4
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
Upgrade
None
1
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1131907
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.