#7928 cn=cacert could show expired certificate
Closed: fixed 5 years ago by frenaud. Opened 5 years ago by rcritten.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1544470

Description of problem:

this bug is related to

https://bugzilla.redhat.com/show_bug.cgi?id=1543335
 rhel6 ipa-client fails to retrieve right CA certificates, particularly when
external CA installed

When installing a RHEL6 client, ipa-client-install is retrieving the
certificate from ldap. In the case of RHEL6, the certificate is taken from:

    dn = DN(('cn', 'CAcert'), ('cn', 'ipa'), ('cn', 'etc'), basedn)

it has happened that if the CA was expired and re-newed it (in the customer
case was external CA), this entry is not updated and only the ones at
"cn=certificates".

It could be interesting to replace the usercertificate in this entry so as the
certificate retrieved in case of RHEL6 client will not show as expired one.

In the scenario where we have had this, the customer was using external CA. I
don't have an exact reproducer but as we have seen that the CA cert in
cn=cacert was still expired, we have agreed to report this new bug.



Version-Release number of selected component (if applicable): master 7.4
(latest) / client 6.9 (latest).

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1544470

5 years ago

Metadata Update from @frenaud:
- Issue assigned to frenaud

5 years ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/3169
- Issue set to the milestone: FreeIPA 4.6.6

5 years ago

master:

  • 9cd8858 CA: set ipaconfigstring:compatCA in cn=DOMAIN IPA CA
  • 4804103 ipatests: CA renewal must refresh cn=CAcert

ipa-4-7:

  • 5d0ed95 CA: set ipaconfigstring:compatCA in cn=DOMAIN IPA CA
  • 180cbdd ipatests: CA renewal must refresh cn=CAcert

ipa-4-6:

  • c442b95 CA: set ipaconfigstring:compatCA in cn=DOMAIN IPA CA
  • c3e6abf ipatests: CA renewal must refresh cn=CAcert

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

5 years ago

Log in to comment on this ticket.

Metadata