When moving for CA-less to CA-ful installation, if the issuer of the DS service certificate is not the first certificate in /etc/ipa/ca.crt, the wrong certificate will be put in the Dogtag NSSDB. Dogtag will be unable to communicate with the DS and ipa-ca-install will fail.
1. 2. 3.
(what happens)
(what do you expect to happen)
master
ipaca_default.ini contains directives:
ipaca_default.ini
pki_ds_secure_connection_ca_nickname=Directory Server CA certificate pki_ds_secure_connection_ca_pem_file=%(ipa_ca_pem_file)s
In dogtaginstance.py:PKIIniLoader.__init__, ipa_ca_pem_file is hardcoded:
dogtaginstance.py:PKIIniLoader.__init__
ipa_ca_pem_file
... ipa_ca_pem_file=paths.IPA_CA_CRT, ...
The installer should inspect the DS service certificate, find the issuer certificate, write it to a temporary file and set ipa_ca_pem_file to that file, so that the correct certificate gets installed to the Dogtag NSSDB.
Isn't this effectively a workaround dogtag depending on the ordering of the CA chain?
I think Dogtag's behaviour is OK - after all you only need one trust anchor to talk to DS. So I'd rather modify IPA to supply the one certificate that's actually needed.
Login to comment on this ticket.