#4612 CA-less install validation does not catch CA cert with missing basic constraints
Closed: Fixed None Opened 9 years ago by pviktori.

If a CA cert with missing basic constraints is provided to ipa-server-install --ca-cert-file, installation fails half way through with a cryptic message:

Configuring directory server (dirsrv): Estimated time 10 seconds
  [1/3]: configuring ssl for ds instance
  [error] RuntimeError: Could not find a CA cert in /tmp/tmp3keqiQ
Could not find a CA cert in /tmp/tmp3keqiQ



2014-10-05T20:40:13Z DEBUG   File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 711, in run_script
    return_value = main_function()

  File "/sbin/ipa-server-install", line 1181, in main
    ds.enable_ssl()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 319, in enable_ssl
    self.start_creation(runtime=10)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 370, in start_creation
    run_step(full_msg, method)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 360, in run_step
    method()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 603, in __enable_ssl
    trust_flags=trust_flags)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 638, in create_from_pkcs12
    raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname)

Such a cert is currently generated by the caless integration test.


master:

  • fdc70e8 Fix CA cert validity check for CA-less and external CA installer options

ipa-4-1:

  • 9607fe3 Fix CA cert validity check for CA-less and external CA installer options

Metadata Update from @pviktori:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.1

7 years ago

Login to comment on this ticket.

Metadata