ipa-server-install with externally signed CA refuses to install because it thinks the cert is not valid yet, although the CA cert is in the right time range.
ipa-server-install --domain ipa.test --realm IPA.TEST -a $PWS -p $PWD --external-ca -U
ipa-server-install --domain ipa.test --realm IPA.test -a Secret123 -p Secret123 --external-cert-file /tmp/ipa/ext_nssdb/chain.crt -U
The installation fails because the installer thinks the cert is not yet valid:
# ipa-server-install --domain ipa.test --realm IPA.test -a Secret123 -p Secret123 --external-cert-file /tmp/ipa/ext_nssdb/chain.crt -U The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. Version 4.11.0 This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the NTP client (chronyd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure SID generation * Configure the KDC to enable PKINIT CA certificate CN=Certificate Authority,O=IPA.TEST in /tmp/ipa/ext_nssdb/chain.crt is not valid: not valid before 2023-10-06 17:57:13+00:00 UTC is in the future. The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The cert is already valid but the installer gets mixed up with the timezone:
# openssl x509 -noout -startdate -in /tmp/ipa/ext_nssdb/chain.crt notBefore=Oct 6 13:57:13 2023 GMT
Reproduced with freeipa-server 4.11.0-5.fc39
The installer is loading the certificate using the method ipalib.x509.load_pem_x509_certificate which internally uses cryptography.x509.load_pem_x509_certificate().
When the not_valid_before value is computed, the timezone is applied on the cryptography's certificate not_valid_before value, which results in applying twice the time delta. Based on the doc at https://cryptography.io/en/latest/x509/reference/#cryptography.x509.Certificate.not_valid_before, the code should probably switch to not_valid_before_utc() to remove any confusion.
Metadata Update from @frenaud: - Issue assigned to frenaud
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/7044
master:
ipa-4-11:
ipa-4-10:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-15443
Log in to comment on this ticket.