Bug 1544470
Summary: | cn=cacert could show expired certificate | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | German Parente <gparente> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
Severity: | unspecified | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
Priority: | high | ||
Version: | 7.4 | CC: | afarley, frenaud, gparente, ksiddiqu, mkosek, myusuf, ndehadra, pasik, pvoborni, rcritten, rhel-docs, slaznick, tscherf |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.6.6-1.el7 | Doc Type: | Bug Fix |
Doc Text: |
.IdM now correctly updates the certificate record in the `cn=CAcert,cn=ipa,cn=etc,<base_DN>` entry
Previously, after renewing the Identity Management (IdM) certificate authority (CA) certificate or modifying the CA certificate chain, IdM did not update the certificate record stored in the `cn=CAcert,cn=ipa,cn=etc,<base_DN>` entry. As a consequence, installations of IdM clients on RHEL 6 failed. With this update, IdM now updates the certificate record in `cn=CAcert,cn=ipa,cn=etc,<base_DN>`. As a result, installing IdM on RHEL 6 now succeeds after the administrator renews the CA certificate or updates the certificate chain on the IdM CA.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-03-31 19:55:19 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1576720 | ||
Bug Blocks: | 1710435, 1713200 |
Description
German Parente
2018-02-12 15:28:37 UTC
ipaConfigString needs to have compatCA set in order for cn=cacert to be updated. Can you see if that was set? Ok, that's why it isn't being updated then. It should be added by ipa-cacert-manage AFAICT. Can you describe their environment more? Perhaps we can reproduce it here. Particularly, where did they renew the external CA and how did they update it in IPA? Converting it to a doc bug. I'm going to pull this back into dev for more investigation. We used to store a single CA certificate in CN=CAcert entry but this was moved to the cn=certificates container to better support multiple certificates and chains. The compat entry is for older clients. ipa-cacert-manage install/renew should update CN=CAcert when a new CA is installed assuming that ipaConfigEntry in the cn=certificates CA entry has compatCA set. In a typical install with an IPA CA the ipaConfigEntry for the CA is set to ipaCA and compatCA in ipaserver/install/dsinstance.py::__upload_ca_cert() in the call to certstore.put_ca_cert_nss() compatCA is removed (and I'm not sure why) later in the installation in ipaserver/install/plugins/upload_cacrt.py. It also changes the case of ipaCA to ipaCa for some reason (not a deal breaker). Upstream ticket: https://pagure.io/freeipa/issue/7928 *** Bug 1710235 has been marked as a duplicate of this bug. *** Fixed upstream master: https://pagure.io/freeipa/c/9cd88587e45c4a588b4cbd9ce1eb31d4a0c711b0 https://pagure.io/freeipa/c/4804103315617bf1fab1db84a3ed4737418b4908 Fixed upstream ipa-4-7: https://pagure.io/freeipa/c/5d0ed95344115508e001cad9e87d60686ed4db23 https://pagure.io/freeipa/c/180cbdd67fdf03e6b23293e30148381dfd6b6abe Fixed upstream ipa-4-6: https://pagure.io/freeipa/c/c442b95db57a3f56f291de35e6f11767c1dbaf9f https://pagure.io/freeipa/c/c3e6abfe687dc3540adfde72d6a5225444b23ee1 The commit includes functional test in ipatests/test_integration/test_external_ca.py::TestSelfExternalSelf Automation test passed in tier2 pipeline for idm-ci. Hence marking the bug as verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1083 |