1249781 – create-certdb.sh script was removed but appears to be necessary for proper client lib functionality

Bug 1249781 - create-certdb.sh script was removed but appears to be necessary for proper client lib functionality

Summary: create-certdb.sh script was removed but appears to be necessary for proper cl...

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openldap
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Matus Honek
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:	1270678
Blocks:
TreeView+	depends on / blocked

Reported:	2015-08-03 19:47 UTC by Joe Miller
Modified:	2017-11-14 14:32 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2017-11-14 14:32:51 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Joe Miller 2015-08-03 19:47:06 UTC

Description of problem:

In previous versions of the openldap-clients RPM a script 'create-certdb.sh' was included which would create an NSS cert database in /etc/openldap/certs/ populated with the public CA's from the systems main cert store. This certdb containing CA certs is necessary for LDAPS clients that want to verify LDAPS server certs to function properly out of the box.


Version-Release number of selected component (if applicable):



How reproducible:
every time.


Steps to Reproduce:
1. Install openldap-clients lib
2. Install PHP with openldap libs
3. use this test script to test a connection to an LDAPS server (you'll need to supply your own):  https://gist.github.com/joemiller/3d8bce6d50dae985e807

Actual results:
With the /etc/openldap/certs/ dir unpopulated after installation, you'll see TLS errors such as:

ldap_parse_result
ldap_msgfree
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/openldap/certs', error -8018:Unknown PKCS #11 error.
TLS: certificate [CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
TLS: error: connect - force handshake failure: errno 0 - moznss error -8172
TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user..
ldap_err2string
PHP Warning:  ldap_start_tls(): Unable to start TLS: Connect error in /data/home/joe/ldaps-test.php on line 18
ldap_err2string
Could not start TLS.-11 Connect error


Expected results:

With a correctly populated /etc/openldap/certs dir:

ldap_msgfree
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/certs prefix .
TLS: certificate [CN=ldap.ucdavis.edu,OU=IET-DCCS,O="University of California, Davis",STREET=One Shields Ave,L=Davis,ST=CA,postalCode=95616,C=US] is valid
TLS certificate verification: subject: CN=ldap.xxxx.xxx,OU=IET-DCCS,O="University of California, Davis",STREET=One Shields Ave,L=Davis,ST=CA,postalCode=95616,C=US, issuer: CN=InCommon Server CA,OU=InCommon,O=Internet2,C=US, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0
start tls success


Additional info:

It appears this script was removed along with the generate-server.cert.sh script in this commit:  http://pkgs.fedoraproject.org/cgit/openldap.git/commit/?id=b730f13ce0e8d13d2f0b94b3bee19e4457da5576

with the message:

"""
    simplify package even more by removing certificate generation

    Creating self-signed certificates for localhost is pointless. If anyone
    uses TLS, they probably have their own. Testers can generate their own
    as well, the package does't have to be plagued by scripts just because
    of that.
"""

Perhaps only the generate-server-cert.sh script should have been removed, and the create-certdb.sh script should remain?

Comment 1 Fedora End Of Life 2016-07-19 17:20:19 UTC

Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 2 Matus Honek 2016-09-14 15:09:28 UTC

Hello Joe,

your statements are correct. However, as Fedora introduced Shared System Certificates [1] a while ago we should implement it (see bug 1270678) and drop the custom script entirely.

TODO: there is still line calling create-certdb.sh in SPEC file which we should drop here.

[1] https://fedoraproject.org/wiki/Features/SharedSystemCertificates

Comment 3 Fedora End Of Life 2017-02-28 09:47:28 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.

Comment 4 Jan Kurik 2017-08-15 06:51:31 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.

Comment 5 Matus Honek 2017-11-14 14:32:51 UTC

https://src.fedoraproject.org/rpms/openldap/pull-request/2
https://src.fedoraproject.org/rpms/openldap/c/d8e109406ea458a5bdf7abee50bd6eb7fbb0f388?branch=master

Note You need to log in before you can comment on or make changes to this bug.