Back to bug 1389249
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Petr Vobornik | 2016-10-27 09:52:29 UTC | Status | NEW | POST |
| Jan Cholasta | 2016-10-31 07:32:08 UTC | Status | POST | MODIFIED |
| Fixed In Version | ipa-4.4.0-13.el7 | |||
| errata-xmlrpc | 2016-10-31 07:32:47 UTC | Status | MODIFIED | ON_QA |
| Jan Cholasta | 2016-11-01 16:52:06 UTC | Fixed In Version | ipa-4.4.0-13.el7 | ipa-4.4.0-13.el7_3 |
| Jan Cholasta | 2016-11-07 06:54:35 UTC | Flags | needinfo?(tkrizek) | |
| Tomas Krizek | 2016-11-07 08:57:44 UTC | Doc Text | Third-party certificate trust flags are reset after installing an external CA into IdM The "ipa-ca-install --external-ca" command, used to install an external certificate authority (CA) into an existing Identity Management (IdM) domain, generates a certificate signing request (CSR) that the user must submit to the external CA. When using a previously installed third-party certificate to sign the CSR, the third-party certificate trust flags in the NSS database are reset. Consequently, the certificate is no longer marked as trusted. In addition, checks performed by the `mod_nss` module fail, and the *httpd* service fails to start. The CA installation fails with the following message in this situation: CA failed to start after 300 seconds As a workaround, after this message appears, reset the third-party certificate flags to their previous state and restart *httpd*. For example, if the `ca1` certificate previously had the `C,,` trust flags: # certutil -d /etc/httpd/alias -n 'ca1' -M -t C,, # systemctl restart httpd.service This restores the system to the correct state. | |
| Flags | needinfo?(tkrizek) | |||
| Abhijeet Kasurde | 2016-11-10 05:49:03 UTC | Status | ON_QA | VERIFIED |
| Assignee | ipa-maint | akasurde | ||
| Abhijeet Kasurde | 2016-11-10 05:49:30 UTC | Assignee | akasurde | ipa-maint |
| Marc Muehlfeld | 2016-11-11 14:34:26 UTC | CC | mmuehlfe | |
| Docs Contact | mmuehlfe | |||
| Marc Muehlfeld | 2016-11-16 06:46:53 UTC | Doc Text | Third-party certificate trust flags are reset after installing an external CA into IdM The "ipa-ca-install --external-ca" command, used to install an external certificate authority (CA) into an existing Identity Management (IdM) domain, generates a certificate signing request (CSR) that the user must submit to the external CA. When using a previously installed third-party certificate to sign the CSR, the third-party certificate trust flags in the NSS database are reset. Consequently, the certificate is no longer marked as trusted. In addition, checks performed by the `mod_nss` module fail, and the *httpd* service fails to start. The CA installation fails with the following message in this situation: CA failed to start after 300 seconds As a workaround, after this message appears, reset the third-party certificate flags to their previous state and restart *httpd*. For example, if the `ca1` certificate previously had the `C,,` trust flags: # certutil -d /etc/httpd/alias -n 'ca1' -M -t C,, # systemctl restart httpd.service This restores the system to the correct state. | When using a previously-installed third-party certificate to sign the certificate signing request (CSR) during an Identity Management (IdM) certificate authority (CA) installation, the third-party certificate trust flags in the network security services (NSS) database were reset. Consequently, the certificate was no longer marked as trusted, and the IdM CA installation failed. This update applies a patch and as a result, installing an IdM CA works correctly in the described scenario. |
| Flags | needinfo?(tkrizek) | |||
| Tomas Krizek | 2016-11-16 08:19:16 UTC | Flags | needinfo?(tkrizek) | needinfo?(mmuehlfe) |
| Marc Muehlfeld | 2016-11-16 12:02:21 UTC | Doc Text | When using a previously-installed third-party certificate to sign the certificate signing request (CSR) during an Identity Management (IdM) certificate authority (CA) installation, the third-party certificate trust flags in the network security services (NSS) database were reset. Consequently, the certificate was no longer marked as trusted, and the IdM CA installation failed. This update applies a patch and as a result, installing an IdM CA works correctly in the described scenario. | When using a previously-installed third-party certificate to sign the certificate signing request (CSR) during an Identity Management (IdM) external certificate authority (CA) installation, the third-party certificate trust flags in the network security services (NSS) database were reset. Consequently, the certificate was no longer marked as trusted, and the IdM CA installation failed. This update applies a patch and as a result, installing an IdM CA works correctly in the described scenario. |
| Flags | needinfo?(mmuehlfe) | |||
| errata-xmlrpc | 2016-12-06 00:22:09 UTC | Status | VERIFIED | RELEASE_PENDING |
| errata-xmlrpc | 2016-12-06 17:02:33 UTC | Status | RELEASE_PENDING | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2016-12-06 12:02:33 UTC |
Back to bug 1389249