Bug 826973
Summary: | ipa-server-install does not fill the default value for --subject option and it crashes later. | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Gowrishankar Rajaiyan <grajaiya> | |
Component: | ipa | Assignee: | Martin Prpič <mprpic> | |
Status: | CLOSED NEXTRELEASE | QA Contact: | IDM QE LIST <seceng-idm-qe-list> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 6.3 | CC: | dpal, jgalipea, mkosek | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: |
When Identity Management is installed with its CA certificate signed by an external CA, the installation is processed in 2 stages. In the first stage, a CSR is generated to be signed by an external CA. The second stage of the installation then accepts a file with the new signed certificate for the Identity Management CA and a certificate of the external CA. During the second stage of the installation, a signed Identity Management CA certificate subject is validated. However, there is a bug in the certificate subject validation procedure and its default value (O=$REALM, where $REALM is the realm of the new Identity Management installation) is never pulled. Consequently, the second stage of the installation process always fails unless the --subject option is specified. To work around this issue, add the following option for the second stage of the installation: --subject "O=$REALM" where $REALM is the realm of the new Identity Management installation. If a custom subject was used for the first stage of the installation, use its value instead. Using this work around, the certificate subject validation procedure succeeds and the installation continues as expected.
|
Story Points: | --- | |
Clone Of: | ||||
: | 827321 (view as bug list) | Environment: | ||
Last Closed: | 2012-06-01 06:39:23 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 827321 |
Description
Gowrishankar Rajaiyan
2012-05-31 10:46:11 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2794 Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: When IPA is installed with its CA certificate signed by an external CA, the installation is proceeded in 2 stages. In the first stage, a CSR is generated to be signed by an external CA. The second stage of the installation then accepts a file with the new signed certificate for the IPA CA and a certificate of the external CA. During the second stage of the installation, an signed IPA CA certificate subject is validated. However, there is a bug in a certificate subject validation procedure and its default value ("O=$REALM") where $REALM is the realm of the new IPA installation is never pulled. Consequence: Second stage of the installation always fails unless --subject option is filled. Workaround: Add the following option for second stage installation: --subject "O=$REALM" where $REALM is the realm of the new IPA installation. If a custom subject was used for the first stage of the installation, use its value instead. Result: Certificate subject validation procedure succeeds and the installation continues. Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,4 +1 @@ -Cause: When IPA is installed with its CA certificate signed by an external CA, the installation is proceeded in 2 stages. In the first stage, a CSR is generated to be signed by an external CA. The second stage of the installation then accepts a file with the new signed certificate for the IPA CA and a certificate of the external CA. During the second stage of the installation, an signed IPA CA certificate subject is validated. However, there is a bug in a certificate subject validation procedure and its default value ("O=$REALM") where $REALM is the realm of the new IPA installation is never pulled. +When Identity Management is installed with its CA certificate signed by an external CA, the installation is processed in 2 stages. In the first stage, a CSR is generated to be signed by an external CA. The second stage of the installation then accepts a file with the new signed certificate for the Identity Management CA and a certificate of the external CA. During the second stage of the installation, a signed Identity Management CA certificate subject is validated. However, there is a bug in the certificate subject validation procedure and its default value (O=$REALM, where $REALM is the realm of the new Identity Management installation) is never pulled. Consequently, the second stage of the installation process always fails unless the --subject option is specified. To work around this issue, add the following option for the second stage of the installation: --subject "O=$REALM" where $REALM is the realm of the new Identity Management installation. If a custom subject was used for the first stage of the installation, use its value instead. Using this work around, the certificate subject validation procedure succeeds and the installation continues as expected.-Consequence: Second stage of the installation always fails unless --subject option is filled. -Workaround: Add the following option for second stage installation: --subject "O=$REALM" where $REALM is the realm of the new IPA installation. If a custom subject was used for the first stage of the installation, use its value instead. -Result: Certificate subject validation procedure succeeds and the installation continues. |