Bug 1249781

Summary: create-certdb.sh script was removed but appears to be necessary for proper client lib functionality
Product: [Fedora] Fedora Reporter: Joe Miller <joeym>
Component: openldapAssignee: Matus Honek <mhonek>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: jsynacek, jv+fedora, mhonek, phracek, rmeggins
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-14 14:32:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1270678    
Bug Blocks:    

Description Joe Miller 2015-08-03 19:47:06 UTC 
Description of problem:

In previous versions of the openldap-clients RPM a script 'create-certdb.sh' was included which would create an NSS cert database in /etc/openldap/certs/ populated with the public CA's from the systems main cert store. This certdb containing CA certs is necessary for LDAPS clients that want to verify LDAPS server certs to function properly out of the box.


Version-Release number of selected component (if applicable):



How reproducible:
every time.


Steps to Reproduce:
1. Install openldap-clients lib
2. Install PHP with openldap libs
3. use this test script to test a connection to an LDAPS server (you'll need to supply your own):  https://gist.github.com/joemiller/3d8bce6d50dae985e807

Actual results:
With the /etc/openldap/certs/ dir unpopulated after installation, you'll see TLS errors such as:

ldap_parse_result
ldap_msgfree
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/openldap/certs', error -8018:Unknown PKCS #11 error.
TLS: certificate [CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
TLS: error: connect - force handshake failure: errno 0 - moznss error -8172
TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user..
ldap_err2string
PHP Warning:  ldap_start_tls(): Unable to start TLS: Connect error in /data/home/joe/ldaps-test.php on line 18
ldap_err2string
Could not start TLS.-11 Connect error


Expected results:

With a correctly populated /etc/openldap/certs dir:

ldap_msgfree
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/certs prefix .
TLS: certificate [CN=ldap.ucdavis.edu,OU=IET-DCCS,O="University of California, Davis",STREET=One Shields Ave,L=Davis,ST=CA,postalCode=95616,C=US] is valid
TLS certificate verification: subject: CN=ldap.xxxx.xxx,OU=IET-DCCS,O="University of California, Davis",STREET=One Shields Ave,L=Davis,ST=CA,postalCode=95616,C=US, issuer: CN=InCommon Server CA,OU=InCommon,O=Internet2,C=US, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0
start tls success


Additional info:

It appears this script was removed along with the generate-server.cert.sh script in this commit:  http://pkgs.fedoraproject.org/cgit/openldap.git/commit/?id=b730f13ce0e8d13d2f0b94b3bee19e4457da5576

with the message:

"""
    simplify package even more by removing certificate generation

    Creating self-signed certificates for localhost is pointless. If anyone
    uses TLS, they probably have their own. Testers can generate their own
    as well, the package does't have to be plagued by scripts just because
    of that.
"""

Perhaps only the generate-server-cert.sh script should have been removed, and the create-certdb.sh script should remain?
Comment 1 Fedora End Of Life 2016-07-19 17:20:19 UTC 
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 2 Matus Honek 2016-09-14 15:09:28 UTC 
Hello Joe,

your statements are correct. However, as Fedora introduced Shared System Certificates [1] a while ago we should implement it (see bug 1270678) and drop the custom script entirely.

TODO: there is still line calling create-certdb.sh in SPEC file which we should drop here.

[1] https://fedoraproject.org/wiki/Features/SharedSystemCertificates
Comment 3 Fedora End Of Life 2017-02-28 09:47:28 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.
Comment 4 Jan Kurik 2017-08-15 06:51:31 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
Comment 5 Matus Honek 2017-11-14 14:32:51 UTC 
https://src.fedoraproject.org/rpms/openldap/pull-request/2
https://src.fedoraproject.org/rpms/openldap/c/d8e109406ea458a5bdf7abee50bd6eb7fbb0f388?branch=master