Hi folks,

apparently ipa-server-install (4.2) gets confused about the
attribute sequence in the DNs of the certificates. If I use

        ipa-server-install --external-ca --subject="C=DE,O=example AG"

then ipa's csr contains

        O=example AG, C=DE, CN=Certificate Authority

The signed certificate contains

        C=DE, O=example AG, CN=Certificate Authority

If I run ipa-server-install again to hand off the certificate
chain, then the code in load_external_cert() (installutils.py)
sees
        ca_subject = "CN=Certificate Authority,C=DE,O=example AG"
        subject    = "CN=Certificate Authority,O=example AG,C=DE"
        :
        if subject == ca_subject:
                ca_nickname = nickname
        :
        if ca_nickname is None:
                raise ScriptError("IPA CA certificate not found in %s" % (", 
".join(files)))

The strings don't match and the certificate chain is rejected,
even though it is valid.

Please check https://tools.ietf.org/html/rfc5280#section-7.1 for
reference.


Can anybody reproduce this? What would you suggest to convince
ipa 4.2 to accept valid certificate chains?


Regards
Harri

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to