#6289 warn about unused certificates in ca-less server installation
Closed: fixed 6 years ago by stsymbal. Opened 8 years ago by ofayans.

I am able to sucessfully install ca-less master with customly generated root.pem containing 2 different certs
Steps to reproduce.
1. Export the following environmental variables:
- domain - domain name
- server1 - master hostname
- server2 - replica hostname
- client - client hostname
- dbdir - name of the certificate database folder (will be created)
- crl_path - a folder for crl files (will be created)
- dirman_password
2. Run the attached script to generate the set of certificates
3. Export the "ca1/server" cert: {{{pk12util -o server.p12 -n "ca1/server" -d "<dbdir>" -K "<cert_password>" -W "<dirman_password>"}}}
4. Extract 2 different certs into the single root.pem file:

certutil -L -d "<dbdir>" -n "ca1" -a > root.pem
certutil -L -d "<dbdir>" -n "ca2" -a >> root.pem
  1. Install master providing '--ca-cert-file=root.pem' and '--http-cert-file=server.p12' parameters

Expected results:[[BR]]
Installation fails with the error message: "root.pem contains more than one certificate"

Actual results:[[BR]]
Installation succeeds


Metadata Update from @ofayans:
- Issue assigned to someone
- Issue set to the milestone: Ticket Backlog

8 years ago

Moving to 4.6.2 and raising priority because and xfail is pointing to this ticket: test_ca_2_certs

Metadata Update from @pvoborni:
- Issue close_status updated to: None
- Issue priority set to: important (was: low)
- Issue set to the milestone: FreeIPA 4.6.2 (was: Ticket Backlog)
- Issue tagged with: test-failure

7 years ago

Metadata Update from @tdudlak:
- Issue set to the milestone: FreeIPA 4.6.3 (was: FreeIPA 4.6.2)

7 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.6.4 (was: FreeIPA 4.6.3)

7 years ago

FreeIPA 4.6.3 has been released, moving to FreeIPA 4.6.4 milestone

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.6.5 (was: FreeIPA 4.6.4)

7 years ago

This ticket is similar to issue #5220.
There is no functional impact and the unneeded certs (not part of the trust chain) are not installed in IPA (neither in the LDAP tree nor in the NSS databases).

Hence closing as won't fix. If you feel this issue is critical and needs to be re-evaluated, please reach out.

Metadata Update from @frenaud:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

6 years ago

master:

  • 1e6a77a ipatests: fix CA less expectations

@cheimes Do you think 1e6a77a should be backported to ipa-4-7?

@sorlov That sounds like a good idea.

Metadata Update from @sorlov:
- Issue status updated to: Open (was: Closed)

6 years ago

ipa-4-7:

  • 60f4a25 ipatests: fix CA less expectations

Metadata Update from @stsymbal:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 years ago

Log in to comment on this ticket.

Metadata