[Freeipa-users] freeipa-server-install fails to compare DNs in certificates
Alexander Bokovoy
abokovoy at redhat.com
Tue Dec 15 13:51:10 UTC 2015
On Tue, 15 Dec 2015, Harald Dunkel wrote:
>Hi folks,
>
>apparently ipa-server-install (4.2) gets confused about the
>attribute sequence in the DNs of the certificates. If I use
>
> ipa-server-install --external-ca --subject="C=DE,O=example AG"
>
>then ipa's csr contains
>
> O=example AG, C=DE, CN=Certificate Authority
>
>The signed certificate contains
>
> C=DE, O=example AG, CN=Certificate Authority
>
>If I run ipa-server-install again to hand off the certificate
>chain, then the code in load_external_cert() (installutils.py)
>sees
> ca_subject = "CN=Certificate Authority,C=DE,O=example AG"
> subject = "CN=Certificate Authority,O=example AG,C=DE"
> :
> if subject == ca_subject:
> ca_nickname = nickname
> :
> if ca_nickname is None:
> raise ScriptError("IPA CA certificate not found in %s" % (", ".join(files)))
>
>The strings don't match and the certificate chain is rejected,
>even though it is valid.
>
>Please check https://tools.ietf.org/html/rfc5280#section-7.1 for
>reference.
>
>
>Can anybody reproduce this? What would you suggest to convince
>ipa 4.2 to accept valid certificate chains?
Could you please file a bug about it?
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list