On 01/13/2015 04:53 PM, Bram Vandoren wrote:
> Hi All,
> We run a FreeIPA server (3.0.0) on SL6. Fedora 21 clients are unable to
> complete freeipa-client-install. It fails due to a parsing error of the CA
> certificate. I tracked down the error and it seems our cn=CACert,cn=ipa,cn=etc
> entry is invalid. This is the ldif:
> dn: cn=CACert,cn=ipa,cn=etc,dc=xyz,dc=abc, dc=de
> objectClass: top
> objectClass: pkiCA
> objectClass: nsContainer
> cn: CAcert
> cACertificate;binary:: (this fields contains base64 encoded data, not binary 
> data)
> I modified the certstore.py script and changed line 299 from
>         cert = entry.single_value['cACertificate;binary']
> to:
>         cert = base64.b64decode(entry.single_value['cACertificate;binary'])
> after that ipa-client-install completes without a problem.
> We run FreeIPA for a few years now so perhaps something went wrong with an
> update of the server at some point and the cn=CACert entry was not updated
> correctly.

Hello Bram,

Good investigation! You already found the root cause. You are most possibly
hitting https://bugzilla.redhat.com/show_bug.cgi?id=948928 that is fixed in
ipa-3.0.0-30.el6 or later.

> What's the valid format of the CACert entry in LDAP? Can we change it to 
> binary
> without other clients ending up in trouble?

Yes. It is supposed to be in binary, as even the attribute name
cACertificate;binary suggests. If you fixed the certificate or removed the
attribute and let LDAP updater do it's job and re-upload it correctly, you
should be fine.

> Guessing from the get_ca_certs
> function we also want other attributes like ipaCertSubject,
> ipaCertIssuerSerial,... These are also missing in our server but perhaps these
> were only added in later FreeIPA server versions.

These were added for FreeIPA 4.1, as part of tickets


You do not need to worry about them for clients/servers older than 4.1.


Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to