#8103 CA-less to CA-ful fails if /etc/ipa/ca.crt does not have DS cert issuer first
Opened 3 months ago by ftweedal. Modified 3 months ago

Issue

When moving for CA-less to CA-ful installation, if the issuer of the DS service certificate
is not the first certificate in /etc/ipa/ca.crt, the wrong certificate will be put in the Dogtag
NSSDB. Dogtag will be unable to communicate with the DS and ipa-ca-install will fail.

Steps to Reproduce

1.
2.
3.

Actual behavior

(what happens)

Expected behavior

(what do you expect to happen)

Version/Release/Distribution

master

Additional info:

ipaca_default.ini contains directives:

pki_ds_secure_connection_ca_nickname=Directory Server CA certificate
pki_ds_secure_connection_ca_pem_file=%(ipa_ca_pem_file)s            

In dogtaginstance.py:PKIIniLoader.__init__, ipa_ca_pem_file is hardcoded:

    ...
    ipa_ca_pem_file=paths.IPA_CA_CRT,
    ...

The installer should inspect the DS service certificate, find the issuer certificate,
write it to a temporary file and set ipa_ca_pem_file to that file, so that the correct
certificate gets installed to the Dogtag NSSDB.


Isn't this effectively a workaround dogtag depending on the ordering of the CA chain?

I think Dogtag's behaviour is OK - after all you only need one trust anchor to talk to DS. So I'd rather modify IPA to supply the one certificate that's actually needed.

Login to comment on this ticket.

Metadata