Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1544470
Description of problem: this bug is related to https://bugzilla.redhat.com/show_bug.cgi?id=1543335 rhel6 ipa-client fails to retrieve right CA certificates, particularly when external CA installed When installing a RHEL6 client, ipa-client-install is retrieving the certificate from ldap. In the case of RHEL6, the certificate is taken from: dn = DN(('cn', 'CAcert'), ('cn', 'ipa'), ('cn', 'etc'), basedn) it has happened that if the CA was expired and re-newed it (in the customer case was external CA), this entry is not updated and only the ones at "cn=certificates". It could be interesting to replace the usercertificate in this entry so as the certificate retrieved in case of RHEL6 client will not show as expired one. In the scenario where we have had this, the customer was using external CA. I don't have an exact reproducer but as we have seen that the CA cert in cn=cacert was still expired, we have agreed to report this new bug. Version-Release number of selected component (if applicable): master 7.4 (latest) / client 6.9 (latest).
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1544470
Metadata Update from @frenaud: - Issue assigned to frenaud
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/3169 - Issue set to the milestone: FreeIPA 4.6.6
master:
ipa-4-7:
ipa-4-6:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.