Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1318903
Description of problem: Ipa doesn't work with subCA signed certificates while doing external signing. ipa server install failing when SUBCA signs the cert. When external CA is tested with IPA and we have CA certificate chain(example like in subca) in that case it fails Version-Release number of selected component (if applicable): RHEL 7.2 How reproducible: always Steps to Reproduce: 1. configure ipa-server-install --external-ca. use the csr request and generate a signed cert. ==> Works as expected 2./usr/sbin/ipa-server-install --external-cert-file=/root/file3 --external-cert-file=/root/file2 -vv Actual results: When we provide chain of certificate which has 2-3 certificates as it is a subCA then it doesn't work as expected. Expected results: It should be able to detech certificate chain Additional info: <log stack> 2016-03-16T09:08:12Z DEBUG stderr= 2016-03-16T09:08:12Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 308, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 278, in run self.validate() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 287, in validate for nothing in self._validator(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 342, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 501, in _configure validator.next() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 342, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 420, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 417, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 364, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install install_check(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 263, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 603, in install_check ca.install_check(False, None, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 61, in install_check options.external_cert_files, options.subject) File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 1028, in load_external_cert (", ".join(files))) 2016-03-16T09:08:12Z DEBUG The ipa-server-install command failed, exception: ScriptError: CA certificate chain in cert, chain is incomplete 2016-03-16T09:08:12Z ERROR CA certificate chain in cert, chain is incomplete
IPA correctly tells that the chain is incomplete but it doesn't report which cert(s) are missing.
attachment freeipa-frenaud-0004-Report-missing-certificate-in-external-trust-chain.patch
attachment freeipa-frenaud-0004-2-Report-missing-certificate-in-external-trust-chain.patch
master:
Metadata Update from @pvoborni: - Issue assigned to frenaud - Issue set to the milestone: FreeIPA 4.4
Login to comment on this ticket.