#5792 ipa-server-install: report which certificate is missing in external cert trust chain
Closed: Fixed None Opened 7 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1318903

Description of problem:

Ipa doesn't work with subCA signed certificates while doing external signing.
ipa server install failing when SUBCA signs the cert.
When external CA is tested with IPA and we have CA certificate chain(example
like in subca) in that case it fails

Version-Release number of selected component (if applicable):

RHEL 7.2

How reproducible:

always
Steps to Reproduce:
1. configure ipa-server-install --external-ca.
use the csr request and generate a signed cert.  ==> Works as expected
2./usr/sbin/ipa-server-install --external-cert-file=/root/file3
--external-cert-file=/root/file2 -vv



Actual results:

When we provide chain of certificate which has 2-3 certificates as it is a
subCA then it doesn't work as expected.
Expected results:
It should be able to detech certificate chain

Additional info:

<log stack>
2016-03-16T09:08:12Z DEBUG stderr=
2016-03-16T09:08:12Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 308,
in run
    cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 278,
in run
    self.validate()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 287,
in validate
    for nothing in self._validator():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 342,
in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364,
in _handle_exception
    util.raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332,
in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87,
in run_generator_with_yield_from
    raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65,
in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 501,
in _configure
    validator.next()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 342,
in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 420,
in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364,
in _handle_exception
    util.raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 417,
in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364,
in _handle_exception
    util.raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332,
in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87,
in run_generator_with_yield_from
    raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65,
in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63,
in _install

    install_check(self)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
line 263, in decorated
    func(installer)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
line 603, in install_check
    ca.install_check(False, None, options)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 61, in
install_check
    options.external_cert_files, options.subject)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 1028, in load_external_cert
    (", ".join(files)))

2016-03-16T09:08:12Z DEBUG The ipa-server-install command failed, exception:
ScriptError: CA certificate chain in cert, chain is incomplete
2016-03-16T09:08:12Z ERROR CA certificate chain in cert, chain is incomplete

IPA correctly tells that the chain is incomplete but it doesn't report which cert(s) are missing.

master:

  • 517964f Report missing certificate in external trust chain

Metadata Update from @pvoborni:
- Issue assigned to frenaud
- Issue set to the milestone: FreeIPA 4.4

7 years ago

Login to comment on this ticket.

Metadata