If a CA cert with missing basic constraints is provided to ipa-server-install --ca-cert-file, installation fails half way through with a cryptic message:
ipa-server-install --ca-cert-file
Configuring directory server (dirsrv): Estimated time 10 seconds [1/3]: configuring ssl for ds instance [error] RuntimeError: Could not find a CA cert in /tmp/tmp3keqiQ Could not find a CA cert in /tmp/tmp3keqiQ 2014-10-05T20:40:13Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 711, in run_script return_value = main_function() File "/sbin/ipa-server-install", line 1181, in main ds.enable_ssl() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 319, in enable_ssl self.start_creation(runtime=10) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 370, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 360, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 603, in __enable_ssl trust_flags=trust_flags) File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 638, in create_from_pkcs12 raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname)
Such a cert is currently generated by the caless integration test.
master:
ipa-4-1:
Metadata Update from @pviktori: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.1
Login to comment on this ticket.