#1742 pkispawn ignores 3rd party CA certs in pki_clone_pkcs12_path
Closed: Fixed None Opened 8 years ago by jcholast.

If pki_clone_uri in pkispawn config file points to a host which uses a server
cert signed by a 3rd party CA, pkispawn will fail even if the 3rd party CA cert
is present in the PKCS#12 file specified by pki_clone_pkcs12_path.

This causes a failure in IPA replica install:

Steps to Reproduce:

1. Run pkispawn with the config described above

Actual results:

pkispawn fails

Expected results:

pkispawn succeeds

Should target Fedora 23 and Fedora 24.

More likely than not, that is simply a trust issue. The deal is that we need to communicate with the ipa http server, but this server has a server cert that has been issued by some other ca. When we import certs from the pk12 file, we don't blindly import all certs in the p12 file. Rather we import specific certs as specified by nickname.

In this case the nicknames of the system certs for the dogtag instance - which will pull in any other certs in the cert chain like for instance the external cert that might have been used to sign the master's ca cert, but it will not pull in the cert for ipa's httpd server -- or the cert that signed it
because thats not to be installed in the ca in any case.

This is basically a proxy problem. We need to provide some mechanism to import a ca cert for the proxy if need be.

Per IRC, the steps to reproduce are:

  1. Install IPA server with ipa-server-install,
  2. install a 3rd party certificate for httpd with ipa-server-certinstall
  3. install IPA replica with ipa-replica-install, run ipa-ca-install on it

In step 2, we are replacing the proxy server SSL cert. So the replica has no idea how to communicate through the proxy.

Per CS/DS Meeting of 02/15/2016: 10.2.x

Per discussion in 02/17/2016 call: 10.3.0.a1

NOTE: This ticket should be cloned to 10.2.x.

This ticket has been cloned to #2022 to backport the fix to Dogtag 10.2.x on Fedora 23.

Many patches for this already.

This is just the last one to fix pk12 export.

Counting objects: 10, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (10/10), done.
Writing objects: 100% (10/10), 1.29 KiB | 0 bytes/s, done.
Total 10 (delta 8), reused 0 (delta 0)
To ssh://vakwetu@git.fedorahosted.org/git/pki.git
8beb5cf..9c6b53a master -> master

Fixed in master:

  • aa613fa272defcc8eebd4b9ef2556e61683b4e97
  • 709457876a6d5e4aea281a35350667492bc34df8
  • 54849505729d3f6345bc7b530e5a40c14ff36116
  • 6947854a3ab6ee4f296a5f97850f5521572683a1
  • 0d44556fa78203121a24224d4733b89c36ef9cc9
  • a96ecbae1bfa27223bbebc7a67f695b643c4aebe
  • 67a0c95b8622b18c9803b2bfe0f708be8747f896
  • 67402ac16d2635ab3464568ca007cf81c4db73e6
  • b74bf9b82102715e08fa3fd3bd5ce9462312aded
  • b48889a2ef41fd45ca69c3926c36ef075777447c
  • 1d58b883ff9d0056d89d74d30f1375ab12d01f03
  • 935633c5ea9f2b5c4321d924af166367008ac4b3
  • 0dadf421c327bc32d220405208031a9f7e1bb097
  • 9c6b53ac8f6eee2eb8ed8f47a4b26be828626841
  • 20a70830961f532e9483baefb64cc92af7cda8b2

Additional changes for master:

  • 1b15c725b6e9c5d9057b66e0a2806a7813a8d61b
  • 04055a9bc40486950a3288acf610522e767c1e27
  • c14e8c52ae7a2c15433fe9568c393c1d0e7a1301

Metadata Update from @jcholast:
- Issue assigned to vakwetu
- Issue set to the milestone: 10.3.0.a2

7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2300

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata