Bug 1417766
Summary: | ipa-replica-install fails on CA import "java.lang.Exception: Certificate caSigningCert cert-pki-ca is invalid: Invalid certificate: (-8179) Peer's Certificate issuer is not recognized" | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Amy Farley <afarley> |
Component: | pki-core | Assignee: | Fraser Tweedale <ftweedal> |
Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Asha Akkiangady <aakkiang> |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | 8.3 | CC: | ascheel, bugsredhat, edewata, f.giannoccaro, frenaud, gparente, mharmsen, mrhodes, msauton, pvoborni, rcritten, tscherf |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-02-26 13:27:27 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Amy Farley
2017-01-30 22:25:08 UTC
Thanks for the clarification about the change on the DN encoding. From our prospective the troubleshooting process we went through in the last few weeks made clear that taking the faulty IPA systems to a stable and reliable status is very difficult if even not possible at all. We have decided to perform an installation from scratch of a new IPA environment to reduce the risk in future of having same issue or other related issues. A short summary of the step we are currently following is: 1. perform a fresh install of IdM/IPA, and instead of setting the Winsync using Trust configuration 2. create new domain as a subdomain of our corporate Windows AD (unix.phe.gov.uk) 3. sign the IdM/IPA root CA cert with the PHE AD root CA cert, so that clients can have a valid trust path for IdM/IPA issues certs 4. create a one way trust from the IdM/IPA to the PHE AD so that existing AD users can authenticate to IDM 5. run both IPA systems in parallel (the faulty and new one) and migrate things over in a controlled manor Once we'll complete all the above step and all clients will be successfully migrated to the new IPA, we are keen to help - if you think it could be any how useful to resolve this bug - with performing further tests or apply patch to our faulty IPA system to test possible solution (maybe useful for other users). for the workaround the the CA's CS.cfg, note the order may be important: X500Name.directoryStringEncodingOrder=UTF8String,PrintableString,T61String,BMPString,UniversalString versus X500Name.directoryStringEncodingOrder=PrintableString,UTF8String,T61String,BMPString,UniversalString may not have the same effect *** Bug 1415852 has been marked as a duplicate of this bug. *** [20171025] - RHEL 7.5 pre-Alpha Offline Triage ==> 7.6 Per RHEL 7.5.z/7.6/8.0 Triage: 7.6 alee: looks like it was tied to a customer case. Need to confirm if this case is active. |