[Freeipa-users] freeipa-server-install fails to compare DNs in certificates
Harald Dunkel
harald.dunkel at aixigo.de
Tue Dec 15 12:49:46 UTC 2015
Hi folks,
apparently ipa-server-install (4.2) gets confused about the
attribute sequence in the DNs of the certificates. If I use
ipa-server-install --external-ca --subject="C=DE,O=example AG"
then ipa's csr contains
O=example AG, C=DE, CN=Certificate Authority
The signed certificate contains
C=DE, O=example AG, CN=Certificate Authority
If I run ipa-server-install again to hand off the certificate
chain, then the code in load_external_cert() (installutils.py)
sees
ca_subject = "CN=Certificate Authority,C=DE,O=example AG"
subject = "CN=Certificate Authority,O=example AG,C=DE"
:
if subject == ca_subject:
ca_nickname = nickname
:
if ca_nickname is None:
raise ScriptError("IPA CA certificate not found in %s" % (", ".join(files)))
The strings don't match and the certificate chain is rejected,
even though it is valid.
Please check https://tools.ietf.org/html/rfc5280#section-7.1 for
reference.
Can anybody reproduce this? What would you suggest to convince
ipa 4.2 to accept valid certificate chains?
Regards
Harri
More information about the Freeipa-users
mailing list