Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/2521 I'm using ipa-server-2.1.3-9.el6.x86_64 in centog 6.2. I'm trying to setup the dovecot SSL part. I followed the documentation and created the csr file (actually, in many ways...), but any csr I tried returns a: ipa: ERROR: Certificate operation cannot be completed: Issuer "CN=Certificate Authority,DC=xxxxx,DC=yy" does not match the expected issuer I tried to change the csr subject in many ways, but the error remains. I have found no informations in the documentation, or even in Google... The only non-standard thing that I've done during the installation is using "--subject" in ipa-server-install. P.S.: my apologies, my english is alpha version...
Please add steps to reproduce this issue. Thanks
Install IPA using --subject= something other than O=$REALM and issue a certificate using ipa cert-request.
fixed upstream master: 6d5555eb54cdbe19d4f2f05a340b9ea7ccf2369f ipa-2-2: 5babb3637358c034db6a26c8d64e1edde640fc80 To test install using the --subject option (e.g. O=Test) and confirm that issued certificates use this subject base and certificates can be issued using ipa cert-request.
Verified IPA Sever version: ================== [root@ipa63server tmp]# rpm -q ipa-server ipa-server-2.2.0-7.el6.x86_64 [root@ipa63server tmp]# (1)Installation is successful with --subject="O=Test" [root@ipa63server ipa-cert]# ipa-server-install --hostname=`hostname` -r TESTRELM.COM -n testrelm.com --subject="O=Test" -p Secret123 -P Secret123 -a Secret123 -U (2)Certificates issued are having subject based as "Test" [root@ipa63server ipa-cert]# ipa cert-show 1|grep Test Subject: CN=Certificate Authority,O=Test Issuer: CN=Certificate Authority,O=Test [root@ipa63server ipa-cert]# (3)Also "ipa cert-request" issues certificate with same subject base "O=Test" . [root@ipa63server tmp]# ipa cert-request test.req --add --principal=service/ipa63server.testrelm.com --request-type=pkcs10 Certificate: MIIDlzCCAn+gAwIBAgIBDDANBgkqhkiG9w0BAQsFADAvMQ0wCwYDVQQKEwRUZXN0MR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIwNDAzMTEwMjE3WhcNMTQwNDA0MTEwMjE3WjAyMQ0wCwYDVQQKEwRUZXN0MSEwHwYDVQQDExhpcGE2M3NlcnZlci50ZXN0cmVsbS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQChdyYt8cIOsU6dBYfBnVk5+h7QB83OfhgLpvtEDOH7kn7GZVUcp1k3Y2UcR2+oYNrzC51XxwthakC5bFZs8mKiBba60lHC41nYv8yZDkkM1ZBEPY+fADHgZeRcEwTZ3hgoZUJVbRPpjdIzQmBh0IVVi3eSF822emMXVuNpGs3JPbAMuybjB2cuEDC789daPZp//zNcV6VbV05TVzWzVZqaVfhY9DyIAsaP4uXgYWqApNzw3js/aXf7A6+a2aiQ+H7S8aLO3DcVoD6bVAsJHIxZmG/ScBbOcwALql3+Jjj4L/VHgarPOR/JjLqFfgKVaczqVgOo+wC37gjMxKt53tftAgMBAAGjgbowgbcwHwYDVR0jBBgwFoAUU6+MY+ERx1sYN0OZhpxnVeLK0pswRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRwOi8vaXBhNjNzZXJ2ZXIudGVzdHJlbG0uY29tOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUlNV+WCUey9Pm9zJzcmfI8IC9GZYwDQYJKoZIhvcNAQELBQADggEBAJ5b8W2z82jTBVtSwzPNdvcBA3/GonKaJ11y2Mhu6yh2rt1MefNj3vjxp1cuxl5+RnQ1ssdDVCuy7zCPHhzwcOHmKgxvECBg6PnNrO4ZXL1KhxYaJ8WNxlOF63tw3V/d4gEsC6hctqQ4ZHG0gWqTFB9QFYhJuMgEJgw1Jari8Jg/EXR5BwjpH0u0pQp/os5ijD4gO8G07QJ1xSZpg4ZyThFqOtvC/oiq604xNfRBb3I3N+9gitzkDD1uYso6MM/w7uJtG+9oPHgC7TKhI216bECWBSijmXj8XjRJeLztloxZWMFWw2ohMWYYzwQAG3SU9q8f2nb/jCtTpzz2LdtLeiA= Subject: CN=ipa63server.testrelm.com,O=Test Issuer: CN=Certificate Authority,O=Test Not Before: Tue Apr 03 11:02:17 2012 UTC Not After: Fri Apr 04 11:02:17 2014 UTC Fingerprint (MD5): e7:2b:02:d3:8d:21:6d:a0:d8:55:3d:90:08:8d:58:19 Fingerprint (SHA1): dd:67:1f:be:2b:aa:d6:b2:13:13:cf:73:36:ae:8d:1b:9f:55:62:e3 Serial number: 12 Serial number (hex): 0xC [root@ipa63server tmp]#
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: IPA certificate did not read a custom user certificate subject base when validating a new certificate issuer. Consequence: When IPA server is installed with a custom subject base and does not use default subject base, issuing new certificates in IPA Certificate Authority may return "invalid issuer" errors. Fix: Custom user certificate subject base is always read before the certificate issuer is being validated. Result: IPA server with a custom subject base no longer raise "invalid issuer" errors when certificates are being issued.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html