[Freeipa-devel] [freeipa] #3668: CA-less install fails when intermediate CA is used
Jan Cholasta
jcholast at redhat.com
Fri Jun 7 13:26:36 UTC 2013
On 7.6.2013 15:17, John Dennis wrote:
> On 06/07/2013 08:57 AM, Jan Cholasta wrote:
>> Yes, this is correct. The DS certificate must be directly signed by the
>> CA trusted by IPA (specified by --root-ca-cert in ipa-server-install),
>> there may be no intermediate CAs, because ldapsearch and friends and
>> python-ldap don't like them.
>
> That doesn't sound right. Do we understand why a chain length > 1 is
> failing?
>
LDAP utilities and python-ldap only trust certificates directly issued
by CAs you point them to (at least on Fedora 18).
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list