#4300 CA-less does not upload CA certificate correctly
Closed: Fixed None Opened 10 years ago by mkosek.

In a build from current master branch, CA-less installation does not work correctly and uploads an invalid certificate to cn=CAcert,cn=ipa,cn=etc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com:

# ipa-server-install -U --setup-dns --forwarder= --reverse-zone=47.34.10.in-addr.arpa. -p Secret123 -a Secret123 -r  IDM.LAB.ENG.BRQ.REDHAT.COM -n idm.lab.eng.brq.redhat.com --http_pkcs12 /home/mkosek/STAR.idm.lab.eng.brq.redhat.com.p12 --dirsrv_pkcs12 /home/mkosek/STAR.idm.lab.eng.brq.redhat.com.p12 --http_pin 12345678 --dirsrv_pin 12345678 --root-ca-file /home/mkosek/caless-external-ca.crt

# ldapsearch -h `hostname` -D "cn=Directory Manager" -x -w kokos123 -b "" -b 'cn=CAcert,cn=ipa,cn=etc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' cACertificate

# CAcert, ipa, etc, idm.lab.eng.brq.redhat.com
dn: cn=CAcert,cn=ipa,cn=etc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com

/etc/ipa/ca.crt looks OK on the other hand:

# openssl x509 -in /etc/ipa/ca.crt -text
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=Martinovo, CN=Certificate Authority
            Not Before: Apr  1 07:55:54 2014 GMT
            Not After : Apr  1 07:55:54 2024 GMT
        Subject: O=Martinovo, CN=Certificate Authority
        X509v3 extensions:
            Netscape Cert Type: 
                SSL CA, S/MIME CA, Object Signing CA
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Certificate Sign
    Signature Algorithm: sha1WithRSAEncryption

This causes a lot of CI errors, Honza please investigate.


  • 915cd69 Fix upload of CA certificate to LDAP in CA-less install.

Metadata Update from @mkosek:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.0 - 2014/04

7 years ago

Log in to comment on this ticket.