#6132 Broken setup if 3rd party CA certificate conflicts with system-wide CA certificate
Closed: fixed 2 years ago Opened 2 years ago by jcholast.

If one of the CA certificates used during CA-less install conflicts with a system-wide CA certificate, the install succeeds, but is broken:

  • As /etc/httpd/alias uses the system-wide CA certificate store by default, it will contain both of the certificates, which might lead to httpd using the "wrong" certificate.
  • The system-wide CA certificate somehow finds its way into cn=certificates,cn=ipa,cn=etc, so a subsequent replica install or ipa-certupdate puts it into all the places in the filesystem where IPA puts CA certificates, which broadens the issue to all IPA services.

This issue was observed by Peter Pakos on freeipa-users: https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html.

Make sure this setup works.


Metadata Update from @jcholast:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.5 backlog

2 years ago

This can go even to 4.4 .

Metadata Update from @pvoborni:
- Custom field affects_doc reset
- Custom field tester adjusted to wanted

2 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1427897 (was: todo)

2 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1427897 (was: todo)

2 years ago

Metadata Update from @pvoborni:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/531 (was: 0)

2 years ago

master:

  • f037bfa httpinstance: disable system trust module in /etc/httpd/alias

Metadata Update from @mbasti:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata