RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1809279 - Self-Signed-CA.pem not category "authority"
Summary: Self-Signed-CA.pem not category "authority"
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: 389-ds-base
Version: 8.1
Hardware: All
OS: All
unspecified
medium
Target Milestone: rc
: 8.0
Assignee: mreynolds
QA Contact: RHDS QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-02 18:54 UTC by Dax Kelson
Modified: 2020-11-04 03:08 UTC (History)
5 users (show)

Fixed In Version: 389-ds-base-1.4.3.8-2.module+el8.3.0+6591+ebfc9766
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-11-04 03:07:44 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 4005 0 None closed SSCA lacks basicConstraint:CA 2021-01-29 23:29:39 UTC
Red Hat Product Errata RHEA-2020:4695 0 None None None 2020-11-04 03:07:59 UTC

Description Dax Kelson 2020-03-02 18:54:37 UTC
Description of problem:

The CA cert that is generated by dscreate won't import into a client's  Shared System Certificates store.


Version-Release number of selected component (if applicable):
389-ds-base-1.4.1.3-7.module+el8.1.0+4150+5b8c2c1f.x86_64


How reproducible:
Install a 389 server, try to trust the Self-Signed-CA.pem

Steps to Reproduce:
1. dscreate from-file ...
2. trust anchor /etc/dirsrv/slapd-localhost/Self-Signed-CA.pem
3. trust list | head

Actual results:

pkcs11:id=%c3%0d%d0%4c%0a%cc%82%1f%1a%f4%75%94%35%16%0f%f6%27%34%9c%25;type=cert
    type: certificate
    label: ssca.389ds.example.com
    trust: anchor
    category: other-entry


Expected results:

pkcs11:id=%c3%0d%d0%4c%0a%cc%82%1f%1a%f4%75%94%35%16%0f%f6%27%34%9c%25;type=cert
    type: certificate
    label: ssca.389ds.example.com
    trust: anchor
    category: authority


Notice the category is incorrectly "other-entry"


Additional info:

openldap-client by default loads /etc/pki/tls/cert.pem which is a symlink to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

Because the category is 'other-entry', when you run the command 'update-ca-trust' it won't add the certificate to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

Note that update-ca-trust is simple shell script, the command that fails is:

DEST=/etc/pki/ca-trust/extracted
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem

Comment 3 bsmejkal 2020-08-05 14:44:38 UTC
=============================================================================================== test session starts ===============================================================================================
platform linux -- Python 3.6.8, pytest-6.0.1, py-1.9.0, pluggy-0.13.1 -- /usr/bin/python3.6
cachedir: .pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-228.el8.x86_64-x86_64-with-redhat-8.3-Ootpa', 'Packages': {'pytest': '6.0.1', 'py': '1.9.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.10.0', 'html': '2.1.1', 'libfaketime': '0.1.2'}}
389-ds-base: 1.4.3.8-4.module+el8.3.0+7193+dfd1e8ad
nss: 3.44.0-15.el8
nspr: 4.21.0-2.el8_0
openldap: 2.4.46-15.el8
cyrus-sasl: 2.1.27-5.el8
FIPS: disabled
rootdir: /mnt/tests/rhds/tests/upstream/ds/dirsrvtests, configfile: pytest.ini
plugins: metadata-1.10.0, html-2.1.1, libfaketime-0.1.2
collected 2 items / 1 deselected / 1 selected                                                                                                                                                                     

dirsrvtests/tests/suites/tls/tls_cert_namespace_test.py::test_cert_category_authority PASSED                                                                                                                [100%]

================================================================================== 1 passed, 1 deselected in 20.01s ==============================================================================================

Marking as VERIFIED.

Comment 6 errata-xmlrpc 2020-11-04 03:07:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds:1.4 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:4695


Note You need to log in before you can comment on or make changes to this bug.