When moving for CA-less to CA-ful installation, if the issuer of the DS service certificate
is not the first certificate in /etc/ipa/ca.crt, the wrong certificate will be put in the Dogtag
NSSDB. Dogtag will be unable to communicate with the DS and ipa-ca-install will fail.
(what do you expect to happen)
ipaca_default.ini contains directives:
pki_ds_secure_connection_ca_nickname=Directory Server CA certificate
In dogtaginstance.py:PKIIniLoader.__init__, ipa_ca_pem_file is hardcoded:
The installer should inspect the DS service certificate, find the issuer certificate,
write it to a temporary file and set ipa_ca_pem_file to that file, so that the correct
certificate gets installed to the Dogtag NSSDB.
Isn't this effectively a workaround dogtag depending on the ordering of the CA chain?
I think Dogtag's behaviour is OK - after all you only need one trust anchor to talk to DS. So I'd rather modify IPA to supply the one certificate that's actually needed.
to comment on this ticket.