Bug 973195 - CA-less install fails when intermediate CA is used
CA-less install fails when intermediate CA is used
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Martin Kosek
Namita Soman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-11 08:54 EDT by Dmitri Pal
Modified: 2016-02-02 06:34 EST (History)
3 users (show)

See Also:
Fixed In Version: ipa-4.1.0-18.el7
Doc Type: Known Issue
Doc Text:
There are multiple problems across different tools used in the identity manager (IdM) installation, which prevents installation of CA-less with intermediate certificate authority (CA). One of the errors is that incorrect trust flags are assigned to the intermediate CA certificate when importing the PKCS#12 file. Consequently, the IdM server installer fails due to an incomplete trust chain that is returned for IdM services. There is no known workaround, CA-less certificates must not contain intermediate CA in their trust chain.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-02 06:34:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dmitri Pal 2013-06-11 08:54:35 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3668

This is because wrong trust flags are assigned to the intermediate CA certificate when importing the PKCS!#12 file:
{{{
$ certutil -L <dbdir>
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

The Root CA                                                  CT,C,C
ca1/subca/server                                             u,u,u
ca1/subca                                                    ,,   
}}}

This in turn causes certutil to return an incomplete trust chain:
{{{
$ certutil -O -d <dbdir> -n ca1/subca/server
"ca1/subca/server" [CN=vm-131.idm.lab.bos.redhat.com,O=Subsidiary Example Organization]
}}}

Trust flags of intermediate CA certificates should be set to "c,c,c" to fix this.
Comment 1 Douglas Silas 2013-11-11 13:55:32 EST
If this feature or issue should be documented in the Release or Technical Notes for RHEL 7.0 Beta, please select the correct Doc Type from the drop-down menu and enter a description in Doc Text.

For info about the differences between known issues, driver updates, deprecated functionality, release notes and Technology Previews, see:

https://engineering.redhat.com/docs/en-US/Policy/70.ecs/html-single/Describing_Errata_Release_and_Technical_Notes_for_Engineers/index.html#bh-known_issue

If you have questions, please email rhel-notes@redhat.com.
Comment 2 Martin Kosek 2013-11-28 08:28:25 EST
Filling Known Issue doc text for 7.0
Comment 3 Martin Kosek 2016-01-29 08:10:16 EST
Will this be fixed in the recent 7.3 fixes focused on CA-less to CA-full installation?
Comment 4 Jan Cholasta 2016-02-01 01:18:24 EST
IIRC this has been fixed since 7.1.
Comment 5 Martin Kosek 2016-02-02 06:34:10 EST
Ah, closing as fixed then. Please reopen the bug if this happens again.

Note You need to log in before you can comment on or make changes to this bug.