[Freeipa-users] invalid cn=CACert,cn=ipa,cn=etc entry
Martin Kosek
mkosek at redhat.com
Wed Jan 14 13:14:19 UTC 2015
On 01/13/2015 04:53 PM, Bram Vandoren wrote:
> Hi All,
> We run a FreeIPA server (3.0.0) on SL6. Fedora 21 clients are unable to
> complete freeipa-client-install. It fails due to a parsing error of the CA
> certificate. I tracked down the error and it seems our cn=CACert,cn=ipa,cn=etc
> entry is invalid. This is the ldif:
>
> dn: cn=CACert,cn=ipa,cn=etc,dc=xyz,dc=abc, dc=de
> objectClass: top
> objectClass: pkiCA
> objectClass: nsContainer
> cn: CAcert
> cACertificate;binary:: (this fields contains base64 encoded data, not binary data)
>
> I modified the certstore.py script and changed line 299 from
> cert = entry.single_value['cACertificate;binary']
> to:
> cert = base64.b64decode(entry.single_value['cACertificate;binary'])
>
> after that ipa-client-install completes without a problem.
>
> We run FreeIPA for a few years now so perhaps something went wrong with an
> update of the server at some point and the cn=CACert entry was not updated
> correctly.
Hello Bram,
Good investigation! You already found the root cause. You are most possibly
hitting https://bugzilla.redhat.com/show_bug.cgi?id=948928 that is fixed in
ipa-3.0.0-30.el6 or later.
> What's the valid format of the CACert entry in LDAP? Can we change it to binary
> without other clients ending up in trouble?
Yes. It is supposed to be in binary, as even the attribute name
cACertificate;binary suggests. If you fixed the certificate or removed the
attribute and let LDAP updater do it's job and re-upload it correctly, you
should be fine.
> Guessing from the get_ca_certs
> function we also want other attributes like ipaCertSubject,
> ipaCertIssuerSerial,... These are also missing in our server but perhaps these
> were only added in later FreeIPA server versions.
These were added for FreeIPA 4.1, as part of tickets
https://fedorahosted.org/freeipa/ticket/3259
https://fedorahosted.org/freeipa/ticket/3520
You do not need to worry about them for clients/servers older than 4.1.
HTH,
Martin
More information about the Freeipa-users
mailing list