Downloading a certificate from server using ipa cert-show command fails if the client already has another certificate with the same serial number (possibly from an old installation or from another source) in the client database.
To reproduce the problem, prepare a certificate file with a serial number matching another certificate on the server. Import the first certificate into the client database, then download the second certificate from the server into a file. The command will fail.
$ certutil -A -d /etc/ipa/nssdb -i old-transport.crt -n "KRA Transport Certificate" -t ",," $ ipa cert-show 0xB --out new-tranport.crt ipa: ERROR: Certificate format error: (SEC_ERROR_REUSED_ISSUER_AND_SERIAL) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
Once the first certificate is removed the command will work:
$ certutil -D -d /etc/ipa/nssdb -n "KRA Transport Certificate" $ ipa cert-show 0xB --out new-tranport.crt
The command should have worked regardless of the existence of the first certificate in the client database because the command is only supposed to download the second certificate into a file, not import it into the database.
I assume that the right fix is to clean the database on new client installation. We should not care about certificates added manually after installation.
May be to back it up rather than destroy so that if something manually added is really valuable for some reason it can be recovered?
No one should touch /etc/ipa/nssdb manually.
Honza&Endi - please discuss this one. Close if this is just improper manipulation with the NSS database.
It is a real bug, cert-show should not fail under these circumstances, it is possible that it could happen even without manually touching /etc/ipa/nssdb.
Processing 4.2 backlog. This ticket was found as something that is not a priority for the nearest releases.
But as usual, please feel free to discuss your use cases or contribute patches, to make that happen sooner!
Metadata Update from @edewata: - Issue assigned to jcholast - Issue set to the milestone: Future Releases
Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.