Bug 451014 - ipa-server-certinstall - Directory name error
ipa-server-certinstall - Directory name error
Status: CLOSED ERRATA
Product: freeIPA
Classification: Community
Component: ipa-server (Show other bugs)
1.0
All Linux
low Severity low
: ---
: ---
Assigned To: Rob Crittenden
Chandrasekar Kannan
:
: 452300 (view as bug list)
Depends On:
Blocks: 453489
  Show dependency treegraph
 
Reported: 2008-06-12 07:58 EDT by Eric Desgranges
Modified: 2015-01-04 18:32 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-08-04 14:21:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
properly convert realm name into DS instance name (1.01 KB, patch)
2008-07-01 10:15 EDT, Rob Crittenden
no flags Details | Diff

  None (edit)
Description Eric Desgranges 2008-06-12 07:58:14 EDT
ipa-server-certinstall -d .....

assumes CA certificate is located in:
/etc/dirsrv/slapd-DOMAIN.COM/

but IPA installation routines put it in:
/etc/dirsrv/slapd-DOMAIN-COM/

('.' vs '-').
Comment 1 Rob Crittenden 2008-06-12 15:02:40 EDT
The fix for this is:

diff --git a/ipa-server/ipa-install/ipa-server-certinstall b/ipa-server/ipa-inst
all/ipa-server-certinstall
index e769627..90130e4 100644
--- a/ipa-server/ipa-install/ipa-server-certinstall
+++ b/ipa-server/ipa-install/ipa-server-certinstall
@@ -134,7 +134,7 @@ def main():
         if options.dirsrv:
             dm_password = getpass.getpass("Directory Manager password: ")
             realm = get_realm_name()
-            dirname = dsinstance.config_dirname(realm)
+            dirname = dsinstance.config_dirname(dsinstance.realm_to_serverid(re
alm))
             server_cert = import_cert(dirname, pkcs12_fname)
             set_ds_cert_name(server_cert[0], dm_password)
Comment 2 Rob Crittenden 2008-07-01 10:15:49 EDT
Created attachment 310674 [details]
properly convert realm name into DS instance name
Comment 3 Rob Crittenden 2008-07-01 15:12:40 EDT
master: e9196e2d9311f4de0423745568fe72f69dc4fa52
Comment 4 Rob Crittenden 2008-07-03 13:30:19 EDT
Need to commit to ipa-1-0 branch as well
Comment 5 Rob Crittenden 2008-07-03 13:52:07 EDT
*** Bug 452300 has been marked as a duplicate of this bug. ***
Comment 6 Rob Crittenden 2008-07-03 15:28:57 EDT
ipa-1-0: 23a9b65c9c0c82985cdc0efbe15c9530ab9da72d
Comment 9 Yi Zhang 2008-07-24 19:07:52 EDT
Bug verification: passed

test:
step 1: generate self-sign cert
step 2: run ipa-server-certinstall -d to import cert

test output is below:
--------------------------------------
[step 1]

server64[07/22/08 19:48]/tmp/nss >certutil -L -d . -n yi-cert-01

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 123 (0x7b)
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "CN=ipaqa.ipa.com,O=redhat"
        Validity:
            Not Before: Wed Jul 23 02:48:18 2008
            Not After : Sat Jan 23 02:48:18 2010
        Subject: "CN=ipaqa.ipa.com,O=redhat"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    e9:8e:ad:c0:cf:ac:f9:64:7e:85:73:7f:45:88:e0:21:
                    cf:68:00:e9:5c:cd:ac:71:ea:9a:6f:87:72:1f:d5:d1:
                    7b:de:34:70:e0:c6:db:60:c5:41:74:e1:38:0c:59:54:
                    53:27:e7:78:41:dd:d0:42:65:97:dc:8c:b1:60:70:df:
                    b1:c5:dd:4f:bf:a9:74:ed:f9:a9:a6:4a:7a:db:f2:18:
                    08:8f:b7:84:5b:74:eb:9e:7f:f9:af:51:54:ce:f0:a3:
                    4d:5d:4c:eb:51:b1:ea:69:c8:4f:d2:2c:40:91:21:3a:
                    bf:e2:00:89:6e:cc:3e:39:35:f9:62:0d:7b:3f:2d:e1
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Basic Constraints
            Critical: True
            Data: Is a CA with no maximum path length.

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Non-Repudiation
                    Data Encipherment
                    Key Agreement
                    Certificate Signing
                    CRL Signing

    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
    Signature:
        9e:7c:31:64:f3:98:7e:08:d5:2a:97:26:ef:5c:8b:5c:
        fb:0d:22:18:e4:68:1a:31:02:18:3e:d0:52:80:c7:99:
        ff:3a:17:b5:85:00:5a:26:46:1b:ed:ae:d8:98:ad:70:
        ab:a5:06:a3:e4:6a:fd:ce:c5:cf:65:9a:14:17:0d:54:
        71:10:aa:95:e0:45:d3:a9:35:68:e6:4c:33:c2:00:11:
        7b:17:96:1d:2b:e8:e5:c8:9a:19:dc:b7:c4:48:87:01:
        b8:f2:1b:cd:4a:74:19:13:2f:6b:34:36:a5:41:d7:11:
        5b:9f:cb:ed:c4:72:c6:03:b2:3c:7d:ed:eb:24:9e:26
    Fingerprint (MD5):
        7B:45:85:22:6B:7C:D7:31:67:DD:22:AD:70:EC:04:9B
    Fingerprint (SHA1):
        DA:1A:DB:0D:C4:26:99:B9:F4:D2:E3:A6:53:3B:EE:74:82:DF:91:71

    Certificate Trust Flags:
        SSL Flags:
            Valid CA
            Trusted CA
            User
            Trusted Client CA
        Email Flags:
            Valid CA
            Trusted CA
            User
        Object Signing Flags:
            Valid CA
            Trusted CA
            User
----------------------------------
[step 2]

server64[07/22/08 19:48]/tmp/nss >ipa-server-certinstall -d
--dirsrv_pin=netscape /tmp/nss/yi.p12 
Directory Manager password: 
Please select the certificate to use:
1. Certificate Nickname Trust
2. yi-cert-01
Certificate number [1]: 2

You have new mail in /var/spool/mail/root
server64[07/22/08 19:48]/tmp/nss >certutil -L -d /etc/dirsrv/slapd-IPAQA-COM/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

yi-cert-01                                                   CTu,Cu,u
Comment 11 errata-xmlrpc 2008-08-04 14:21:23 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0643.html

Note You need to log in before you can comment on or make changes to this bug.