Red Hat Bugzilla – Bug 1129730
CA-less installation fails when the CA cert has an empty subject
Last modified: 2015-03-05 05:13:17 EST
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/4477 My testing CA has an empty subject. When used in a CA-less installation, IPA fails to add it to LDAP. Most likely a regression in #3259. This should be either allowed, or rejected early with a better error message. {{{ ... [39/39]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring directory server (dirsrv): Estimated time 10 seconds [1/3]: configuring ssl for ds instance [2/3]: restarting directory server [3/3]: adding CA certificate entry Unexpected error - see /var/log/ipaserver-install.log for details: InvalidSyntax: ipaCertSubject: value #0 invalid per syntax: Invalid syntax. }}} Fro debugging I added a log call with the entry being added, here's the output along with the exception: {{{ 2014-08-07T12:05:18Z DEBUG CA cert entry: LDAPEntry(ipapython.dn.DN('cn=CA 1,cn=certificates,cn=ipa,cn=etc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'), {u'ipaKeyExtUsage': ['1.3.6.1.5.5.7.3.1'], u'cn': ['CA 1'], u'objectClass': ['ipaCertificate', 'pkiCA', 'ipaKeyPolicy'], u'ipaCertIssuerSerial': [';1'], u'ipaPublicKey': ['0\x81\x9f...\x02\x03\x01\x00\x01'], u'cACertificate;binary': ["0\x82\x01\xea0...\x8c\x89"], u'ipaKeyTrust': ['trusted'], u'ipaCertSubject': [''], u'ipaConfigString': ['compatCA']}) 2014-08-07T12:05:18Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 640, in run_script return_value = main_function() File "/sbin/ipa-server-install", line 1117, in main ds.enable_ssl() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 353, in enable_ssl self.start_creation(runtime=10) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 716, in __upload_ca_cert config_compat=self.master_fqdn is None) File "/usr/lib/python2.7/site-packages/ipalib/certstore.py", line 384, in put_ca_cert_nss config_ipa, config_compat) File "/usr/lib/python2.7/site-packages/ipalib/certstore.py", line 240, in put_ca_cert config_ipa=config_ipa, config_compat=config_compat) File "/usr/lib/python2.7/site-packages/ipalib/certstore.py", line 155, in add_ca_cert ldap.add_entry(entry) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1586, in add_entry self.conn.add_s(entry.dn, attrs.items()) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1183, in error_handler raise errors.InvalidSyntax(attr=info) 2014-08-07T12:05:18Z DEBUG The ipa-server-install command failed, exception: InvalidSyntax: ipaCertSubject: value #0 invalid per syntax: Invalid syntax. }}}
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/60ecba77cd98f37be0d2c0f69efd307a687e59dc https://fedorahosted.org/freeipa/changeset/3aa0731fc660ea3d111a44926ab5dea71dc510e7 https://fedorahosted.org/freeipa/changeset/88083887c994ab505d6e07151e5dd26b56bb7732 https://fedorahosted.org/freeipa/changeset/3cde7e9cfd7908b24082e3e50cdd0955726223d0 https://fedorahosted.org/freeipa/changeset/83cbfa8eaee6b2b84eb9fe9e514a339780df81b5 ipa-4-1: https://fedorahosted.org/freeipa/changeset/b93bdb7b3ef0f9229b1bb2f5e4db1c4efc1616ea https://fedorahosted.org/freeipa/changeset/6136a3eb5d943792853359047770b0d85568d4fd https://fedorahosted.org/freeipa/changeset/a29ee452c4c1b776521869f87433605dc9dd8e77 https://fedorahosted.org/freeipa/changeset/01623f70d85065d48433d26e4d42c885a49989e8 https://fedorahosted.org/freeipa/changeset/0c4d7dabf3e3642451ecaac7837f08011ac772dd
Verified. IPA Version: ============ [root@dhcp207-214 ~]# rpm -q ipa-server ipa-server-4.1.0-15.el7.x86_64 [root@dhcp207-214 ~]# [root@dhcp207-214 nssdb]# ipa-server-install --http-cert-file /root/nssdb/server.p12 --http-pin xxxxxxxx --dirsrv-cert-file /root/nssdb/server.p12 --dirsrv-pin xxxxxxxx --ca-cert-file /root/nssdb/root.pem The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) To accept the default shown in brackets, press the Enter key. Do you want to configure integrated DNS (BIND)? [no]: yes Existing BIND configuration detected, overwrite? [no]: yes Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com. Server host name [dhcp207-214.testrelm.test]: Warning: skipping DNS resolution of host dhcp207-214.testrelm.test The domain name has been determined based on the host name. Please confirm the domain name [testrelm.test]: The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [TESTRELM.TEST]: CA certificate in /root/nssdb/server.p12 is not valid: has empty subject [root@dhcp207-214 nssdb]#
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0442.html