[Freeipa-users] invalid cn=CACert,cn=ipa,cn=etc entry
Bram Vandoren
bram.vandoren at ster.kuleuven.be
Tue Jan 13 15:53:31 UTC 2015
Hi All,
We run a FreeIPA server (3.0.0) on SL6. Fedora 21 clients are unable to
complete freeipa-client-install. It fails due to a parsing error of the
CA certificate. I tracked down the error and it seems our
cn=CACert,cn=ipa,cn=etc entry is invalid. This is the ldif:
dn: cn=CACert,cn=ipa,cn=etc,dc=xyz,dc=abc, dc=de
objectClass: top
objectClass: pkiCA
objectClass: nsContainer
cn: CAcert
cACertificate;binary:: (this fields contains base64 encoded data, not
binary data)
I modified the certstore.py script and changed line 299 from
cert = entry.single_value['cACertificate;binary']
to:
cert = base64.b64decode(entry.single_value['cACertificate;binary'])
after that ipa-client-install completes without a problem.
We run FreeIPA for a few years now so perhaps something went wrong with
an update of the server at some point and the cn=CACert entry was not
updated correctly.
What's the valid format of the CACert entry in LDAP? Can we change it to
binary without other clients ending up in trouble? Guessing from the
get_ca_certs function we also want other attributes like ipaCertSubject,
ipaCertIssuerSerial,... These are also missing in our server but perhaps
these were only added in later FreeIPA server versions.
Thanks,
Bram
More information about the Freeipa-users
mailing list