[Freeipa-devel] [freeipa] #3668: CA-less install fails when intermediate CA is used
John Dennis
jdennis at redhat.com
Fri Jun 7 13:36:16 UTC 2013
On 06/07/2013 09:26 AM, Jan Cholasta wrote:
> On 7.6.2013 15:17, John Dennis wrote:
>> On 06/07/2013 08:57 AM, Jan Cholasta wrote:
>>> Yes, this is correct. The DS certificate must be directly signed by the
>>> CA trusted by IPA (specified by --root-ca-cert in ipa-server-install),
>>> there may be no intermediate CAs, because ldapsearch and friends and
>>> python-ldap don't like them.
>>
>> That doesn't sound right. Do we understand why a chain length > 1 is
>> failing?
>>
>
> LDAP utilities and python-ldap only trust certificates directly issued
> by CAs you point them to (at least on Fedora 18).
This sounds like a bug in MozLDAP (i.e. the NSS LDAP crypto provider).
Have we filed a bug? Let's file the bug here in the Red Hat bugzilla,
not upstream, we're the maintainers of MozLDAP and upstream is already
frustrated with it.
More information about the Freeipa-devel
mailing list