Currently 2 our CA-less tests are failing as follows:
[2017-05-10T16:50:18Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-121.cmd39] <DEBUG>: RUN ['ipa-server-certinstall', '-p', 'XXX', '-w', 'server.p12', '--pin', 'XXX'] [2017-05-10T16:50:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-121.cmd39] <DEBUG>: Peer's certificate issuer is not trusted (invalid for a SSL server). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate. [2017-05-10T16:50:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-121.cmd39] <DEBUG>: The ipa-server-certinstall command failed.
With intermediate CA as: "ca1/subca/server"
Test marked as XFAIL:
master:
ipa-4-5:
Metadata Update from @pvoborni: - Issue tagged with: tests
Metadata Update from @pvoborni: - Issue set to the milestone: FreeIPA 4.7
Metadata Update from @pvoborni: - Issue priority set to: important - Issue set to the milestone: FreeIPA 4.6.2 (was: FreeIPA 4.7) - Issue tagged with: test-failure
Metadata Update from @tdudlak: - Issue set to the milestone: FreeIPA 4.6.3 (was: FreeIPA 4.6.2)
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.6.4 (was: FreeIPA 4.6.3)
FreeIPA 4.6.3 has been released, moving to FreeIPA 4.6.4 milestone
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.6.5 (was: FreeIPA 4.6.4)
The documentation describes the following process: - add the external CA that signed the ldap/http cert with ipa-cacert-manage install /path/to/cacert - run ipa-certupdate on all hosts - replace the ldap/http cert with ipa-server-certinstall ...
ipa-cacert-manage install /path/to/cacert
ipa-certupdate
ipa-server-certinstall ...
It is not easy to modify ipa-server-certinstall so that it performs all the tasks, because it would require ipa-server-certinstall to connect to all IPA hosts and trigger ipa-certupdate remotely. Note that if this step is not done on a client and the new ldap/http cert is in use on the master, the client will not be able any more to use ipa * commands (including ipa-certupdate).
Hence closing as invalid.
Metadata Update from @frenaud: - Issue close_status updated to: invalid - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.