#4477 CA-less installation fails when the CA cert has an empty subject
Closed: Fixed None Opened 5 years ago by pviktori.

My testing CA has an empty subject. When used in a CA-less installation, IPA fails to add it to LDAP. Most likely a regression in #3259.

This should be either allowed, or rejected early with a better error message.

 ...
  [39/39]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring directory server (dirsrv): Estimated time 10 seconds
  [1/3]: configuring ssl for ds instance
  [2/3]: restarting directory server
  [3/3]: adding CA certificate entry
Unexpected error - see /var/log/ipaserver-install.log for details:
InvalidSyntax: ipaCertSubject: value #0 invalid per syntax: Invalid syntax.

Fro debugging I added a log call with the entry being added, here's the output along with the exception:

2014-08-07T12:05:18Z DEBUG CA cert entry: LDAPEntry(ipapython.dn.DN('cn=CA 1,cn=certificates,cn=ipa,cn=etc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'), {u'ipaKeyExtUsage': ['1.3.6.1.5.5.7.3.1'], u'cn': ['CA 1'], u'objectClass': ['ipaCertificate', 'pkiCA', 'ipaKeyPolicy'], u'ipaCertIssuerSerial': [';1'], u'ipaPublicKey': ['0\x81\x9f...\x02\x03\x01\x00\x01'], u'cACertificate;binary': ["0\x82\x01\xea0...\x8c\x89"], u'ipaKeyTrust': ['trusted'], u'ipaCertSubject': [''], u'ipaConfigString': ['compatCA']})
2014-08-07T12:05:18Z DEBUG   File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 640, in run_script
    return_value = main_function()

  File "/sbin/ipa-server-install", line 1117, in main
    ds.enable_ssl()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 353, in enable_ssl
    self.start_creation(runtime=10)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation
    method()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 716, in __upload_ca_cert
    config_compat=self.master_fqdn is None)

  File "/usr/lib/python2.7/site-packages/ipalib/certstore.py", line 384, in put_ca_cert_nss
    config_ipa, config_compat)

  File "/usr/lib/python2.7/site-packages/ipalib/certstore.py", line 240, in put_ca_cert
    config_ipa=config_ipa, config_compat=config_compat)

  File "/usr/lib/python2.7/site-packages/ipalib/certstore.py", line 155, in add_ca_cert
    ldap.add_entry(entry)

  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1586, in add_entry
    self.conn.add_s(entry.dn, attrs.items())

  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)

  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1183, in error_handler
    raise errors.InvalidSyntax(attr=info)

2014-08-07T12:05:18Z DEBUG The ipa-server-install command failed, exception: InvalidSyntax: ipaCertSubject: value #0 invalid per syntax: Invalid syntax.

For reference, my testing CA cert
Ext_CA_2.crt

For reference, my server cert (valid for *.idm.lab.eng.brq.redhat.com)
STAR.idm.lab.eng.brq.redhat.com.p12

Honzo, any idea for this one?

RFC 5280 section 4.1.2.6. states:

If the subject is a CA (e.g., the basic constraints extension, as
discussed in Section 4.2.1.9, is present and the value of cA is
TRUE), then the subject field MUST be populated with a non-empty
distinguished name matching the contents of the issuer field (Section
4.1.2.4) in all certificates issued by the subject CA.

So it's just a matter of strengthening our validator.

Let us fix the validator in 4.1.

master:

  • 60ecba7 Add NSSDatabase.import_files method for importing files in various formats
  • 3aa0731 External CA installer options usability fixes
  • 8808388 CA-less installer options usability fixes
  • 3cde7e9 Allow choosing CA-less server certificates by name
  • 83cbfa8 Do stricter validation of CA certificates

ipa-4-1:

  • b93bdb7 Add NSSDatabase.import_files method for importing files in various formats
  • 6136a3e External CA installer options usability fixes
  • a29ee45 CA-less installer options usability fixes
  • 01623f7 Allow choosing CA-less server certificates by name
  • 0c4d7da Do stricter validation of CA certificates

Metadata Update from @pviktori:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.1

2 years ago

Login to comment on this ticket.

Metadata