#6959 ipa-server-certinstall should add any intermediate CA certificate a server certificate is signed with
Closed: invalid 2 years ago Opened 3 years ago by mreznik.

Currently 2 our CA-less tests are failing as follows:

[2017-05-10T16:50:18Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-121.cmd39] <DEBUG>: RUN ['ipa-server-certinstall', '-p', 'XXX', '-w', 'server.p12', '--pin', 'XXX']
[2017-05-10T16:50:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-121.cmd39] <DEBUG>: Peer's certificate issuer is not trusted (invalid for a SSL server). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate.
[2017-05-10T16:50:22Z ipa.ipatests.pytest_plugins.integration.host.Host.vm-058-121.cmd39] <DEBUG>: The ipa-server-certinstall command failed.

With intermediate CA as: "ca1/subca/server"


Test marked as XFAIL:

master:

  • d5e84d7 test_caless: mark TestCertinstall intermediate CA tests as xfail

ipa-4-5:

  • f9bf76e test_caless: mark TestCertinstall intermediate CA tests as xfail

Metadata Update from @pvoborni:
- Issue tagged with: tests

3 years ago

Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.7

2 years ago

Metadata Update from @pvoborni:
- Issue priority set to: important
- Issue set to the milestone: FreeIPA 4.6.2 (was: FreeIPA 4.7)
- Issue tagged with: test-failure

2 years ago

Metadata Update from @tdudlak:
- Issue set to the milestone: FreeIPA 4.6.3 (was: FreeIPA 4.6.2)

2 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.6.4 (was: FreeIPA 4.6.3)

2 years ago

FreeIPA 4.6.3 has been released, moving to FreeIPA 4.6.4 milestone

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.6.5 (was: FreeIPA 4.6.4)

2 years ago

The documentation describes the following process:
- add the external CA that signed the ldap/http cert with ipa-cacert-manage install /path/to/cacert
- run ipa-certupdate on all hosts
- replace the ldap/http cert with ipa-server-certinstall ...

It is not easy to modify ipa-server-certinstall so that it performs all the tasks, because it would require ipa-server-certinstall to connect to all IPA hosts and trigger ipa-certupdate remotely. Note that if this step is not done on a client and the new ldap/http cert is in use on the master, the client will not be able any more to use ipa * commands (including ipa-certupdate).

Hence closing as invalid.

Metadata Update from @frenaud:
- Issue close_status updated to: invalid
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata