I am able to sucessfully install ca-less master with customly generated root.pem containing 2 different certs Steps to reproduce. 1. Export the following environmental variables: - domain - domain name - server1 - master hostname - server2 - replica hostname - client - client hostname - dbdir - name of the certificate database folder (will be created) - crl_path - a folder for crl files (will be created) - dirman_password 2. Run the attached script to generate the set of certificates 3. Export the "ca1/server" cert: {{{pk12util -o server.p12 -n "ca1/server" -d "<dbdir>" -K "<cert_password>" -W "<dirman_password>"}}} 4. Extract 2 different certs into the single root.pem file:
certutil -L -d "<dbdir>" -n "ca1" -a > root.pem certutil -L -d "<dbdir>" -n "ca2" -a >> root.pem
Expected results:[[BR]] Installation fails with the error message: "root.pem contains more than one certificate"
Actual results:[[BR]] Installation succeeds
attachment caless-create-pki
Metadata Update from @ofayans: - Issue assigned to someone - Issue set to the milestone: Ticket Backlog
Moving to 4.6.2 and raising priority because and xfail is pointing to this ticket: test_ca_2_certs
Metadata Update from @pvoborni: - Issue close_status updated to: None - Issue priority set to: important (was: low) - Issue set to the milestone: FreeIPA 4.6.2 (was: Ticket Backlog) - Issue tagged with: test-failure
Metadata Update from @tdudlak: - Issue set to the milestone: FreeIPA 4.6.3 (was: FreeIPA 4.6.2)
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.6.4 (was: FreeIPA 4.6.3)
FreeIPA 4.6.3 has been released, moving to FreeIPA 4.6.4 milestone
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.6.5 (was: FreeIPA 4.6.4)
This ticket is similar to issue #5220. There is no functional impact and the unneeded certs (not part of the trust chain) are not installed in IPA (neither in the LDAP tree nor in the NSS databases).
Hence closing as won't fix. If you feel this issue is critical and needs to be re-evaluated, please reach out.
Metadata Update from @frenaud: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
master:
@cheimes Do you think 1e6a77a should be backported to ipa-4-7?
@sorlov That sounds like a good idea.
Metadata Update from @sorlov: - Issue status updated to: Open (was: Closed)
ipa-4-7:
Metadata Update from @stsymbal: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.