When a custom subject_base is used e.g. "O=IPA.LOCAL 201610201420", the replica-install code that creates the DS and HTTP NSSDBs erroneously compares the subject of CA certs to the default subject base. This causes the IPA CA cert to be added with a nickname derived from the subject name instead of "{REALM} IPA CA".
Later in the process, the upload_cacrt plugin reads certs from the HTTP NSSDB in order to update the cn=certificates LDAP certstore. The NSSDB nickname of the cert is used as the CN for the entry. Because the IPA CA cert was not installed in the HTTP NSSDB with the "{REALM} IPA CA", this causes a spurious entry to be added to the certstore.
upload_cacrt
Fraser, what is the impact of this bug?
Petr: I don't think it causes major issues, just the extra entries hanging around, and certs in NSSDBs with nicknames that you don't expect.
I will have to perform some replica installations from replicas to confirm that it does not actually cause failures (will advise outcome in a follow-up comment).
Petr: confirmed that it does not affect replica installation, it is just the single spurious entry that gets added, which might also be seen e.g. during client installation as an additional CA cert.
So, low impact: "minor visual nuisance", some users might ask about it, etc.
master:
Metadata Update from @ftweedal: - Issue assigned to ftweedal - Issue set to the milestone: FreeIPA 4.5
Login to comment on this ticket.