In a build from current master branch, CA-less installation does not work correctly and uploads an invalid certificate to cn=CAcert,cn=ipa,cn=etc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com:
cn=CAcert,cn=ipa,cn=etc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
# ipa-server-install -U --setup-dns --forwarder=10.34.47.2 --reverse-zone=47.34.10.in-addr.arpa. -p Secret123 -a Secret123 -r IDM.LAB.ENG.BRQ.REDHAT.COM -n idm.lab.eng.brq.redhat.com --http_pkcs12 /home/mkosek/STAR.idm.lab.eng.brq.redhat.com.p12 --dirsrv_pkcs12 /home/mkosek/STAR.idm.lab.eng.brq.redhat.com.p12 --http_pin 12345678 --dirsrv_pin 12345678 --root-ca-file /home/mkosek/caless-external-ca.crt # ldapsearch -h `hostname` -D "cn=Directory Manager" -x -w kokos123 -b "" -b 'cn=CAcert,cn=ipa,cn=etc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' cACertificate # CAcert, ipa, etc, idm.lab.eng.brq.redhat.com dn: cn=CAcert,cn=ipa,cn=etc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com cACertificate;binary: ...
/etc/ipa/ca.crt looks OK on the other hand:
/etc/ipa/ca.crt
# openssl x509 -in /etc/ipa/ca.crt -text Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: O=Martinovo, CN=Certificate Authority Validity Not Before: Apr 1 07:55:54 2014 GMT Not After : Apr 1 07:55:54 2024 GMT Subject: O=Martinovo, CN=Certificate Authority ... X509v3 extensions: Netscape Cert Type: SSL CA, S/MIME CA, Object Signing CA X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Key Usage: critical Digital Signature, Non Repudiation, Certificate Sign Signature Algorithm: sha1WithRSAEncryption ...
This causes a lot of CI errors, Honza please investigate.
Starting review
master:
Metadata Update from @mkosek: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.0 - 2014/04
Log in to comment on this ticket.