Bug 451014
| Summary: | ipa-server-certinstall - Directory name error | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Retired] freeIPA | Reporter: | Eric Desgranges <eric> | ||||
| Component: | ipa-server | Assignee: | Rob Crittenden <rcritten> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> | ||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 1.0 | CC: | batkisso, benl | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2008-08-04 18:21:23 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 453489 | ||||||
| Attachments: |
|
||||||
The fix for this is:
diff --git a/ipa-server/ipa-install/ipa-server-certinstall b/ipa-server/ipa-inst
all/ipa-server-certinstall
index e769627..90130e4 100644
--- a/ipa-server/ipa-install/ipa-server-certinstall
+++ b/ipa-server/ipa-install/ipa-server-certinstall
@@ -134,7 +134,7 @@ def main():
if options.dirsrv:
dm_password = getpass.getpass("Directory Manager password: ")
realm = get_realm_name()
- dirname = dsinstance.config_dirname(realm)
+ dirname = dsinstance.config_dirname(dsinstance.realm_to_serverid(re
alm))
server_cert = import_cert(dirname, pkcs12_fname)
set_ds_cert_name(server_cert[0], dm_password)
Created attachment 310674 [details]
properly convert realm name into DS instance name
master: e9196e2d9311f4de0423745568fe72f69dc4fa52 Need to commit to ipa-1-0 branch as well *** Bug 452300 has been marked as a duplicate of this bug. *** ipa-1-0: 23a9b65c9c0c82985cdc0efbe15c9530ab9da72d Bug verification: passed
test:
step 1: generate self-sign cert
step 2: run ipa-server-certinstall -d to import cert
test output is below:
--------------------------------------
[step 1]
server64[07/22/08 19:48]/tmp/nss >certutil -L -d . -n yi-cert-01
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 123 (0x7b)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=ipaqa.ipa.com,O=redhat"
Validity:
Not Before: Wed Jul 23 02:48:18 2008
Not After : Sat Jan 23 02:48:18 2010
Subject: "CN=ipaqa.ipa.com,O=redhat"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
e9:8e:ad:c0:cf:ac:f9:64:7e:85:73:7f:45:88:e0:21:
cf:68:00:e9:5c:cd:ac:71:ea:9a:6f:87:72:1f:d5:d1:
7b:de:34:70:e0:c6:db:60:c5:41:74:e1:38:0c:59:54:
53:27:e7:78:41:dd:d0:42:65:97:dc:8c:b1:60:70:df:
b1:c5:dd:4f:bf:a9:74:ed:f9:a9:a6:4a:7a:db:f2:18:
08:8f:b7:84:5b:74:eb:9e:7f:f9:af:51:54:ce:f0:a3:
4d:5d:4c:eb:51:b1:ea:69:c8:4f:d2:2c:40:91:21:3a:
bf:e2:00:89:6e:cc:3e:39:35:f9:62:0d:7b:3f:2d:e1
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Basic Constraints
Critical: True
Data: Is a CA with no maximum path length.
Name: Certificate Key Usage
Critical: True
Usages: Digital Signature
Non-Repudiation
Data Encipherment
Key Agreement
Certificate Signing
CRL Signing
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
9e:7c:31:64:f3:98:7e:08:d5:2a:97:26:ef:5c:8b:5c:
fb:0d:22:18:e4:68:1a:31:02:18:3e:d0:52:80:c7:99:
ff:3a:17:b5:85:00:5a:26:46:1b:ed:ae:d8:98:ad:70:
ab:a5:06:a3:e4:6a:fd:ce:c5:cf:65:9a:14:17:0d:54:
71:10:aa:95:e0:45:d3:a9:35:68:e6:4c:33:c2:00:11:
7b:17:96:1d:2b:e8:e5:c8:9a:19:dc:b7:c4:48:87:01:
b8:f2:1b:cd:4a:74:19:13:2f:6b:34:36:a5:41:d7:11:
5b:9f:cb:ed:c4:72:c6:03:b2:3c:7d:ed:eb:24:9e:26
Fingerprint (MD5):
7B:45:85:22:6B:7C:D7:31:67:DD:22:AD:70:EC:04:9B
Fingerprint (SHA1):
DA:1A:DB:0D:C4:26:99:B9:F4:D2:E3:A6:53:3B:EE:74:82:DF:91:71
Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
User
Trusted Client CA
Email Flags:
Valid CA
Trusted CA
User
Object Signing Flags:
Valid CA
Trusted CA
User
----------------------------------
[step 2]
server64[07/22/08 19:48]/tmp/nss >ipa-server-certinstall -d
--dirsrv_pin=netscape /tmp/nss/yi.p12
Directory Manager password:
Please select the certificate to use:
1. Certificate Nickname Trust
2. yi-cert-01
Certificate number [1]: 2
You have new mail in /var/spool/mail/root
server64[07/22/08 19:48]/tmp/nss >certutil -L -d /etc/dirsrv/slapd-IPAQA-COM/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
yi-cert-01 CTu,Cu,u
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0643.html |
ipa-server-certinstall -d ..... assumes CA certificate is located in: /etc/dirsrv/slapd-DOMAIN.COM/ but IPA installation routines put it in: /etc/dirsrv/slapd-DOMAIN-COM/ ('.' vs '-').