Issue #6959: ipa-server-certinstall should add any intermediate CA certificate a server certificate is signed with - freeipa

freeipa

#6959 ipa-server-certinstall should add any intermediate CA certificate a server certificate is signed with

Closed: invalid 5 years ago Opened 6 years ago by mreznik.

Currently 2 our CA-less tests are failing as follows:

[2017-05-10T16:50:18Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-121.cmd39] <DEBUG>: RUN ['ipa-server-certinstall', '-p', 'XXX', '-w', 'server.p12', '--pin', 'XXX']
[2017-05-10T16:50:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-121.cmd39] <DEBUG>: Peer's certificate issuer is not trusted (invalid for a SSL server). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate.
[2017-05-10T16:50:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-121.cmd39] <DEBUG>: The ipa-server-certinstall command failed.

With intermediate CA as: "ca1/subca/server"

mbasti commented 6 years ago

Test marked as XFAIL:

master:

d5e84d7 test_caless: mark TestCertinstall intermediate CA tests as xfail

ipa-4-5:

f9bf76e test_caless: mark TestCertinstall intermediate CA tests as xfail

Metadata Update from @pvoborni:
- Issue tagged with: tests

6 years ago

Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.7

6 years ago

Metadata Update from @pvoborni:
- Issue priority set to: important
- Issue set to the milestone: FreeIPA 4.6.2 (was: FreeIPA 4.7)
- Issue tagged with: test-failure

6 years ago

Metadata Update from @tdudlak:
- Issue set to the milestone: FreeIPA 4.6.3 (was: FreeIPA 4.6.2)

6 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.6.4 (was: FreeIPA 4.6.3)

6 years ago

rcritten commented 6 years ago

FreeIPA 4.6.3 has been released, moving to FreeIPA 4.6.4 milestone

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.6.5 (was: FreeIPA 4.6.4)

5 years ago

frenaud commented 5 years ago

The documentation describes the following process:
- add the external CA that signed the ldap/http cert with ipa-cacert-manage install /path/to/cacert
- run ipa-certupdate on all hosts
- replace the ldap/http cert with ipa-server-certinstall ...

It is not easy to modify ipa-server-certinstall so that it performs all the tasks, because it would require ipa-server-certinstall to connect to all IPA hosts and trigger ipa-certupdate remotely. Note that if this step is not done on a client and the new ldap/http cert is in use on the master, the client will not be able any more to use ipa * commands (including ipa-certupdate).

Hence closing as invalid.

Metadata Update from @frenaud:
- Issue close_status updated to: invalid
- Issue status updated to: Closed (was: Open)

5 years ago

Metadata

Assignee

None

Tags

Blocking

None

Depending on

None

Priority

important

Milestone

FreeIPA 4.6.5

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#6959 ipa-server-certinstall should add any intermediate CA certificate a server certificate is signed with Closed: invalid 5 years ago Opened 6 years ago by mreznik.

Metadata

tests test-failure

#6959 ipa-server-certinstall should add any intermediate CA certificate a server certificate is signed with

Closed: invalid 5 years ago Opened 6 years ago by mreznik.