Issue #6289: warn about unused certificates in ca-less server installation - freeipa

freeipa

#6289 warn about unused certificates in ca-less server installation

Closed: fixed a year ago by stsymbal. Opened 3 years ago by ofayans.

I am able to sucessfully install ca-less master with customly generated root.pem containing 2 different certs
Steps to reproduce.
1. Export the following environmental variables:
- domain - domain name
- server1 - master hostname
- server2 - replica hostname
- client - client hostname
- dbdir - name of the certificate database folder (will be created)
- crl_path - a folder for crl files (will be created)
- dirman_password
2. Run the attached script to generate the set of certificates
3. Export the "ca1/server" cert: {{{pk12util -o server.p12 -n "ca1/server" -d "<dbdir>" -K "<cert_password>" -W "<dirman_password>"}}}
4. Extract 2 different certs into the single root.pem file:

certutil -L -d "<dbdir>" -n "ca1" -a > root.pem
certutil -L -d "<dbdir>" -n "ca2" -a >> root.pem

Install master providing '--ca-cert-file=root.pem' and '--http-cert-file=server.p12' parameters

Expected results:[[BR]]
Installation fails with the error message: "root.pem contains more than one certificate"

Actual results:[[BR]]
Installation succeeds

ofayans commented 3 years ago

attachment
caless-create-pki

Metadata Update from @ofayans:
- Issue assigned to someone
- Issue set to the milestone: Ticket Backlog

3 years ago

pvoborni commented 2 years ago

Moving to 4.6.2 and raising priority because and xfail is pointing to this ticket: test_ca_2_certs

Metadata Update from @pvoborni:
- Issue close_status updated to: None
- Issue priority set to: important (was: low)
- Issue set to the milestone: FreeIPA 4.6.2 (was: Ticket Backlog)
- Issue tagged with: test-failure

2 years ago

Metadata Update from @tdudlak:
- Issue set to the milestone: FreeIPA 4.6.3 (was: FreeIPA 4.6.2)

2 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.6.4 (was: FreeIPA 4.6.3)

2 years ago

rcritten commented 2 years ago

FreeIPA 4.6.3 has been released, moving to FreeIPA 4.6.4 milestone

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.6.5 (was: FreeIPA 4.6.4)

2 years ago

frenaud commented 2 years ago

This ticket is similar to issue #5220.
There is no functional impact and the unneeded certs (not part of the trust chain) are not installed in IPA (neither in the LDAP tree nor in the NSS databases).

Hence closing as won't fix. If you feel this issue is critical and needs to be re-evaluated, please reach out.

Metadata Update from @frenaud:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

2 years ago

cheimes commented 2 years ago

master:

1e6a77a ipatests: fix CA less expectations

sorlov commented a year ago

@cheimes Do you think 1e6a77a should be backported to ipa-4-7?

cheimes commented a year ago

@sorlov That sounds like a good idea.

Metadata Update from @sorlov:
- Issue status updated to: Open (was: Closed)

a year ago

stsymbal commented a year ago

ipa-4-7:

60f4a25 ipatests: fix CA less expectations

Metadata Update from @stsymbal:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

Metadata

Assignee

someone

Tags

Blocking

None

Depending on

None

Priority

important

Milestone

FreeIPA 4.6.5

None

affects_doc

None

type

defect

source

None

blockedby

None

knownissue

None

component

Installation

test_case

None

blocking

None

on_review

None

keywords

caless

test_coverage

None

reviewer

None

external_tracker

None

rhbz

tester

None

changelog

None

design

None

freeipa

Source Code

#6289 warn about unused certificates in ca-less server installation Closed: fixed a year ago by stsymbal. Opened 3 years ago by ofayans.

Metadata

test-failure

#6289 warn about unused certificates in ca-less server installation

Closed: fixed a year ago by stsymbal. Opened 3 years ago by ofayans.