Bug 740959
| Summary: | 389-console put CA certificates into wrong database | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Retired] 389 | Reporter: | Orion Poplawski <orion> | ||||
| Component: | Directory Console | Assignee: | Rich Megginson <rmeggins> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Viktor Ashirov <vashirov> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 1.1.3 | CC: | amsharma, midnightsteel, mmello, sander | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-12-07 17:14:46 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 434915 | ||||||
| Attachments: |
|
||||||
|
Description
Orion Poplawski
2011-09-23 21:43:02 UTC
On the server: 389-admin-1.1.23-1.el5 389-admin-console-1.1.8-1.el5 389-admin-console-doc-1.1.8-1.el5 389-adminutil-1.1.14-1.el5 389-console-1.1.7-1.el5 389-ds-1.2.1-1.el5 389-ds-base-1.2.9.9-1.el5 389-ds-base-debuginfo-1.2.7.5-1.el5 389-ds-base-libs-1.2.9.9-1.el5 389-ds-console-1.2.6-1.el5 389-ds-console-doc-1.2.6-1.el5 389-dsgw-1.1.7-1.el5 Was able to reproduce on f15 - using the directory server manage certificates ui, the cert is installed in the admin server cert db. Turns out that even though NSS_InitContext works for TLS/SSL, it doesn't really work for key/cert db management. I'm afraid the only way to really get this to work properly is for security.c to do a full, complete, and total NSS shutdown, which means we need to find a way to pass that all the way through to the LDAP layer to make it release any NSS resources used doing LDAPS/startTLS. Created attachment 530746 [details]
0001-Bug-740959-389-console-put-CA-certificates-into-wron.patch
To ssh://git.fedorahosted.org/git/389/admin.git
65e4166..f2e6124 master -> master
commit 1897c5ba53d4e385f16c88a75c13f7fb7a24cd92
Author: Rich Megginson <rmeggins>
Date: Fri Oct 28 15:33:06 2011 -0600
Reviewed by: nhosoi (Thanks!)
Branch: master
Fix Description: Now that the openldap/NSS memory leaks have been fixed, we
do not need the workaround of using NSS_InitContext, which doesn't work
anyway for cert db management. The fix is to revert to the old behavior
of using NSS_Shutdown/NSS_Initialize so that we can be sure we are using
the correct NSS database.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
*** Bug 750408 has been marked as a duplicate of this bug. *** Installed CA cert from DS console and It is listed under :
[root@snmaptest ~]# cd /etc/dirsrv/slapd-snmaptest
[root@snmaptest slapd-snmaptest]# certutil -L -d .
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Example Certificate Authority CT,,
server-cert u,u,u
CA cert CT,,
Hence VERIFIED
Status update? (In reply to comment #8) > Status update? Fixed in 389-admin-1.1.25 in updates-testing Confirmed!! Worked after updating to 389-admin-1.1.25 in updates-testing |