Bug 509111
| Summary: | Can't install replica on F11 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Retired] freeIPA | Reporter: | Martin Nagy <mnagy> | ||||
| Component: | ipa-server | Assignee: | Rob Crittenden <rcritten> | ||||
| Status: | CLOSED UPSTREAM | QA Contact: | Chandrasekar Kannan <ckannan> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 2.0 | CC: | benl, dpal, edewata, hripps, jgalipea, redhat-bugzilla, rvokal | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2012-03-28 09:29:48 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 509132 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Description
Martin Nagy
2009-07-01 12:40:10 UTC
The good news is I know why it is failing. The bad news is it is because of a change in the NSS certutil utility. The CA cert is getting imported into the 389 database ok but it is marked as untrusted. In older versions of NSS we'd use certutil -O -n Server-Cert to print the chain of the certificate to get the CA nickname to add CA trust to. It would appear that the NSS in F-11 only prints those in the chain that are already trusted. So we need to find another way to identify which CA(s) to trust. Ideally this will be fixed in certutil, filed bug 509132 If you are using an NSS self-signed certificate (the default when installing) then you can modify /usr/lib/python2.6/site-packages/ipaserver/install/certs.py and make the following change:
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -584,6 +584,7 @@ class CertDB(object):
self.set_perms(self.pwd_conf, uid="apache")
def find_root_cert(self, nickname):
+ return "CA certificate"
p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir,
"-O", "-n", nickname], stdout=subprocess.PIPE)
This should do the trick.
Created attachment 354934 [details]
Use pk12util to find CAs to trust instead of certutil
This patch is against the master branch.
Use the output of pk12util -l to find the CAs to trust instead of certutil -O
FYI: The exact same problem exists on Fedora 10.
# rpm -q ipa-server nss-tools
ipa-server-1.2.1-2.fc10.x86_64
nss-tools-3.12.3.99.3-2.10.4.fc10.x86_64
Workaround to make ipa-replica-install succeed (Rob's patch modified for F10):
# pwd
/usr/lib/python2.5/site-packages/ipaserver
# rcsdiff -u certs.py
===================================================================
RCS file: RCS/certs.py,v
retrieving revision 1.1
diff -u -r1.1 certs.py
--- certs.py 2009/08/06 08:24:29 1.1
+++ certs.py 2009/08/06 08:25:16
@@ -305,6 +305,7 @@
self.set_perms(self.pin_fname)
def find_root_cert(self, nickname):
+ return "CA certificate"
p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir,
"-O", "-n", nickname], stdout=subprocess.PIPE)
ipa-1-2: 8ab2977eeb79571ed6f976a12a51ed2b75cdc12b ipa-1.2.2-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/ipa-1.2.2-1.fc10 ipa-1.2.2-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/ipa-1.2.2-1.fc11 ipa-1.2.2-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. ipa-1.2.2-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. |