Bug 740959
Summary: | 389-console put CA certificates into wrong database | ||||||
---|---|---|---|---|---|---|---|
Product: | [Retired] 389 | Reporter: | Orion Poplawski <orion> | ||||
Component: | Directory Console | Assignee: | Rich Megginson <rmeggins> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Viktor Ashirov <vashirov> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 1.1.3 | CC: | amsharma, midnightsteel, mmello, sander | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-12-07 17:14:46 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 434915 | ||||||
Attachments: |
|
Description
Orion Poplawski
2011-09-23 21:43:02 UTC
On the server: 389-admin-1.1.23-1.el5 389-admin-console-1.1.8-1.el5 389-admin-console-doc-1.1.8-1.el5 389-adminutil-1.1.14-1.el5 389-console-1.1.7-1.el5 389-ds-1.2.1-1.el5 389-ds-base-1.2.9.9-1.el5 389-ds-base-debuginfo-1.2.7.5-1.el5 389-ds-base-libs-1.2.9.9-1.el5 389-ds-console-1.2.6-1.el5 389-ds-console-doc-1.2.6-1.el5 389-dsgw-1.1.7-1.el5 Was able to reproduce on f15 - using the directory server manage certificates ui, the cert is installed in the admin server cert db. Turns out that even though NSS_InitContext works for TLS/SSL, it doesn't really work for key/cert db management. I'm afraid the only way to really get this to work properly is for security.c to do a full, complete, and total NSS shutdown, which means we need to find a way to pass that all the way through to the LDAP layer to make it release any NSS resources used doing LDAPS/startTLS. Created attachment 530746 [details]
0001-Bug-740959-389-console-put-CA-certificates-into-wron.patch
To ssh://git.fedorahosted.org/git/389/admin.git 65e4166..f2e6124 master -> master commit 1897c5ba53d4e385f16c88a75c13f7fb7a24cd92 Author: Rich Megginson <rmeggins> Date: Fri Oct 28 15:33:06 2011 -0600 Reviewed by: nhosoi (Thanks!) Branch: master Fix Description: Now that the openldap/NSS memory leaks have been fixed, we do not need the workaround of using NSS_InitContext, which doesn't work anyway for cert db management. The fix is to revert to the old behavior of using NSS_Shutdown/NSS_Initialize so that we can be sure we are using the correct NSS database. Platforms tested: RHEL6 x86_64 Flag Day: no Doc impact: no *** Bug 750408 has been marked as a duplicate of this bug. *** Installed CA cert from DS console and It is listed under : [root@snmaptest ~]# cd /etc/dirsrv/slapd-snmaptest [root@snmaptest slapd-snmaptest]# certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Example Certificate Authority CT,, server-cert u,u,u CA cert CT,, Hence VERIFIED Status update? (In reply to comment #8) > Status update? Fixed in 389-admin-1.1.25 in updates-testing Confirmed!! Worked after updating to 389-admin-1.1.25 in updates-testing |