[Freeipa-devel] [freeipa] #3668: CA-less install fails when intermediate CA is used
Jan Cholasta
jcholast at redhat.com
Fri Jun 7 12:57:55 UTC 2013
On 7.6.2013 14:26, Martin Kosek wrote:
> On 06/07/2013 02:04 PM, Dmitri Pal wrote:
>> On 06/07/2013 03:47 AM, freeipa wrote:
>>> #3668: CA-less install fails when intermediate CA is used
>>> -------------------------------------+-------------------------------------
>>> Reporter: jcholast | Owner: jcholast
>>> Type: defect | Status: assigned
>>> Priority: major | Milestone: 2013 Month 06 -
>>> Component: | June (3.2.x bug fixing)
>>> Installation | Version:
>>> Resolution: | Keywords:
>>> Blocked By: | Blocking:
>>> Tests Updated: 0 | Affects DOC: 0
>>> Patch posted for review: 0 | Red Hat Bugzilla:
>>> Source: | Effort Type:
>>> Targeted feature: | Design link:
>>> Design review: 0 | Fedora test page:
>>> Chosen: | Needs UI design:
>>> -------------------------------------+-------------------------------------
>>> Release Notes:
>>>
>>>
>>> -------------------------------------+-------------------------------------
>>> Changes (by mkosek):
>>>
>>> * rhbz: 0 =>
>>>
>>>
>>> Comment:
>>>
>>> We not support intermediate CAs for external CA install or CA-less
>>> install. Thus, this ticket cannot be easily solved extensive changes to
>>> the installer. Related to #3274 (Pilsner milestone).
>>>
>>> Moving back to triage to decide what to do about this ticket.
>>>
>> So you are saying that CA we chain to or get the certs from should
>> always be a root CA?
>> Why does it matter for our code whether the CA we deal with a Root CA or
>> not?
>
> No, this is a case when a CA you pass for FreeIPA is not a direct "parent" of
> HTTP/DIRSRV certificates, i.e. there is an intermediate CA between the CA
> passed to IPA and the actual certs.
>
> It should not mean that the root CA you pass to IPA must be necessarily a root
> CA of the entire chain. Jan, is this correct? Can you elaborate?
Yes, this is correct. The DS certificate must be directly signed by the
CA trusted by IPA (specified by --root-ca-cert in ipa-server-install),
there may be no intermediate CAs, because ldapsearch and friends and
python-ldap don't like them.
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list