[Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
Rob Crittenden
rcritten at redhat.com
Wed Jul 2 17:08:37 UTC 2014
Jan Cholasta wrote:
> On 28.6.2014 00:19, Rob Crittenden wrote:
>>
>> I'm going to consolidate all reviews for 241 - 303 here. I'm not doing
>> this in any particular order.
Trimming to respond to your questions.
>> Not sure if this is related:
>> # pki cert-find
>> PKIException: Internal Server Error
I'm pretty sure the cert-find error is related to the fact that I had a
test build of dogtag installed, so that can be ignored.
>> ipa-client-install still fails for me in RHEL-5 with an external CA:
>>
>> 2014-06-27 14:04:31,202 DEBUG trying to retrieve CA cert via LDAP from
>> ldap://sif.greyoak.com
>> 2014-06-27 14:04:32,312 INFO Successfully retrieved CA cert
>> Subject: /O=GREYOAK.COM/CN=Certificate Authority
>> Issuer: /CN=External Authority
>>
>> 2014-06-27 14:04:32,467 DEBUG args=/usr/sbin/ipa-join -s sif.greyoak.com
>> -b dc=greyoak,dc=com
>> 2014-06-27 14:04:32,467 DEBUG stdout=
>> 2014-06-27 14:04:32,467 DEBUG stderr=libcurl failed to execute the HTTP
>> POST transaction. SSL certificate problem, verify that the CA cert is
>> OK. Details:
>> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
>> verify failed
>>
>> This is the query that is being done:
>>
>> [27/Jun/2014:14:04:31 -0400] conn=18 op=3 SRCH
>> base="CN=CAcert,CN=ipa,CN=etc,dc=greyoak,dc=com" scope=0
>> filter="(objectClass=pkiCA)" attrs="cacertificate;binary"
>>
>> It returns a single object, the dogtag-issued CA certificate, not the
>> entire chain, hence the failure.
>
> I doubt this ever worked, as there can be only one certificate in
> cn=CAcert. Can't do much about this, unless you want to fix it in RHEL 5.
Ok, as it is not a regression I won't let that block these patches.
>> Similarly /etc/ipa/ca.crt on the master contains only the IPA CA while
>> /usr/share/ipa/html/ca.crt contains the full chain.
>
> Right, will fix.
>
>>
>> This works:
>> # wget -O /tmp/ca.crt http://sif.greyoak.com/ipa/config/ca.crt
>> # ipa-client-install --server=sif.greyoak.com --domain=greyoak.com -p
>> admin -w password -U --ca-cert-file=/tmp/ca.crt
>>
>> --------
>>
>> Enrollment on RHEL-6 also puts a single CA in /etc/ipa/ca.crt but
>> enrollment succeeds.
>
> That's expected, it also uses cn=CAcert. Any idea why it works on RHEL 6
> but not on RHEL 5?
I'd guess it has something to do with OpenSSL vs NSS.
>> Patch 303.
>>
>> Is the context as cli_installer a cut-n-paste or a conscious choice?
>
> It is indeed copy-paste. Is it wrong?
The context is completely arbitrary and rarely used. But it is used in a
few places, though IIRC mostly on the server side. It probably doesn't
matter much but being client-specific is good future-proofing.
rob
More information about the Freeipa-devel
mailing list