My testing CA has an empty subject. When used in a CA-less installation, IPA fails to add it to LDAP. Most likely a regression in #3259.
This should be either allowed, or rejected early with a better error message.
... [39/39]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring directory server (dirsrv): Estimated time 10 seconds [1/3]: configuring ssl for ds instance [2/3]: restarting directory server [3/3]: adding CA certificate entry Unexpected error - see /var/log/ipaserver-install.log for details: InvalidSyntax: ipaCertSubject: value #0 invalid per syntax: Invalid syntax.
Fro debugging I added a log call with the entry being added, here's the output along with the exception:
2014-08-07T12:05:18Z DEBUG CA cert entry: LDAPEntry(ipapython.dn.DN('cn=CA 1,cn=certificates,cn=ipa,cn=etc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'), {u'ipaKeyExtUsage': ['1.3.6.1.5.5.7.3.1'], u'cn': ['CA 1'], u'objectClass': ['ipaCertificate', 'pkiCA', 'ipaKeyPolicy'], u'ipaCertIssuerSerial': [';1'], u'ipaPublicKey': ['0\x81\x9f...\x02\x03\x01\x00\x01'], u'cACertificate;binary': ["0\x82\x01\xea0...\x8c\x89"], u'ipaKeyTrust': ['trusted'], u'ipaCertSubject': [''], u'ipaConfigString': ['compatCA']}) 2014-08-07T12:05:18Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 640, in run_script return_value = main_function() File "/sbin/ipa-server-install", line 1117, in main ds.enable_ssl() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 353, in enable_ssl self.start_creation(runtime=10) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 716, in __upload_ca_cert config_compat=self.master_fqdn is None) File "/usr/lib/python2.7/site-packages/ipalib/certstore.py", line 384, in put_ca_cert_nss config_ipa, config_compat) File "/usr/lib/python2.7/site-packages/ipalib/certstore.py", line 240, in put_ca_cert config_ipa=config_ipa, config_compat=config_compat) File "/usr/lib/python2.7/site-packages/ipalib/certstore.py", line 155, in add_ca_cert ldap.add_entry(entry) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1586, in add_entry self.conn.add_s(entry.dn, attrs.items()) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1183, in error_handler raise errors.InvalidSyntax(attr=info) 2014-08-07T12:05:18Z DEBUG The ipa-server-install command failed, exception: InvalidSyntax: ipaCertSubject: value #0 invalid per syntax: Invalid syntax.
For reference, my testing CA cert Ext_CA_2.crt
For reference, my server cert (valid for *.idm.lab.eng.brq.redhat.com) STAR.idm.lab.eng.brq.redhat.com.p12
Honzo, any idea for this one?
RFC 5280 section 4.1.2.6. states:
If the subject is a CA (e.g., the basic constraints extension, as discussed in Section 4.2.1.9, is present and the value of cA is TRUE), then the subject field MUST be populated with a non-empty distinguished name matching the contents of the issuer field (Section 4.1.2.4) in all certificates issued by the subject CA.
So it's just a matter of strengthening our validator.
Let us fix the validator in 4.1.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1129730
master:
ipa-4-1:
Metadata Update from @pviktori: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.1
Login to comment on this ticket.