Re: [Freeipa-users] freeipa-server-install fails to compare DNs in certificates
On Wed, 16 Dec 2015, Harald Dunkel wrote: On 12/15/2015 04:04 PM, Alexander Bokovoy wrote: It makes possible others to see your specific details as this is the first time we get such bug report. Done: https://bugzilla.redhat.com/show_bug.cgi?id=1292042 Now what would you suggest as a workaround? I've asked you to provide ipaserver-install.log in the bug. Without it it is a bit hard to see how to help. Let's continue in the bug. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server-install fails to compare DNs in certificates
On 12/16/2015 12:27 PM, Alexander Bokovoy wrote: > I've asked you to provide ipaserver-install.log in the bug. Without it > it is a bit hard to see how to help. Let's continue in the bug. Bug report has been updated. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server-install fails to compare DNs in certificates
On 12/15/2015 04:04 PM, Alexander Bokovoy wrote: > It makes possible others to see your specific details as this is the > first time we get such bug report. Done: https://bugzilla.redhat.com/show_bug.cgi?id=1292042 Now what would you suggest as a workaround? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server-install fails to compare DNs in certificates
On Tue, 15 Dec 2015, Harald Dunkel wrote: Hi folks, apparently ipa-server-install (4.2) gets confused about the attribute sequence in the DNs of the certificates. If I use ipa-server-install --external-ca --subject="C=DE,O=example AG" then ipa's csr contains O=example AG, C=DE, CN=Certificate Authority The signed certificate contains C=DE, O=example AG, CN=Certificate Authority If I run ipa-server-install again to hand off the certificate chain, then the code in load_external_cert() (installutils.py) sees ca_subject = "CN=Certificate Authority,C=DE,O=example AG" subject= "CN=Certificate Authority,O=example AG,C=DE" : if subject == ca_subject: ca_nickname = nickname : if ca_nickname is None: raise ScriptError("IPA CA certificate not found in %s" % (", ".join(files))) The strings don't match and the certificate chain is rejected, even though it is valid. Please check https://tools.ietf.org/html/rfc5280#section-7.1 for reference. Can anybody reproduce this? What would you suggest to convince ipa 4.2 to accept valid certificate chains? Could you please file a bug about it? -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] freeipa-server-install fails to compare DNs in certificates
Hi folks, apparently ipa-server-install (4.2) gets confused about the attribute sequence in the DNs of the certificates. If I use ipa-server-install --external-ca --subject="C=DE,O=example AG" then ipa's csr contains O=example AG, C=DE, CN=Certificate Authority The signed certificate contains C=DE, O=example AG, CN=Certificate Authority If I run ipa-server-install again to hand off the certificate chain, then the code in load_external_cert() (installutils.py) sees ca_subject = "CN=Certificate Authority,C=DE,O=example AG" subject= "CN=Certificate Authority,O=example AG,C=DE" : if subject == ca_subject: ca_nickname = nickname : if ca_nickname is None: raise ScriptError("IPA CA certificate not found in %s" % (", ".join(files))) The strings don't match and the certificate chain is rejected, even though it is valid. Please check https://tools.ietf.org/html/rfc5280#section-7.1 for reference. Can anybody reproduce this? What would you suggest to convince ipa 4.2 to accept valid certificate chains? Regards Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server-install fails to compare DNs in certificates
On Tue, 15 Dec 2015, Harald Dunkel wrote: On 12/15/2015 02:51 PM, Alexander Bokovoy wrote: Could you please file a bug about it? I tried, but trac refused my username/password for redhat.com. Due to greylisting I haven't received the confirmation request by EMail, either. Anyway, I have to continue getting ipa running. Filing a bug doesn't help to work around the problem. It makes possible others to see your specific details as this is the first time we get such bug report. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server-install fails to compare DNs in certificates
On 12/15/2015 02:51 PM, Alexander Bokovoy wrote: > Could you please file a bug about it? I tried, but trac refused my username/password for redhat.com. Due to greylisting I haven't received the confirmation request by EMail, either. Anyway, I have to continue getting ipa running. Filing a bug doesn't help to work around the problem. Regards Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project