-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Broken import of CA certs #5768
Comments
Correct, function add_cert() needs to set ca=True (this flag was added recently). Fix is in the works... |
mreynolds389
added a commit
to mreynolds389/389-ds-base
that referenced
this issue
May 18, 2023
Description: The certificate type checks for CA/server break if there are no certificate extensions set (use openssl in that case to gather the info instead). dscontainter needed to be updated for new cert checks, and UI adding certs improvements. relates: 389ds#5768 Reviewed by: spichugi(Thanks!)
mreynolds389
added a commit
that referenced
this issue
May 18, 2023
Description: The certificate type checks for CA/server break if there are no certificate extensions set (use openssl in that case to gather the info instead). dscontainter needed to be updated for new cert checks, and UI adding certs improvements. relates: #5768 Reviewed by: spichugi(Thanks!)
mreynolds389
added a commit
that referenced
this issue
May 18, 2023
Description: The certificate type checks for CA/server break if there are no certificate extensions set (use openssl in that case to gather the info instead). dscontainter needed to be updated for new cert checks, and UI adding certs improvements. relates: #5768 Reviewed by: spichugi(Thanks!)
mreynolds389
added a commit
that referenced
this issue
May 18, 2023
Description: The certificate type checks for CA/server break if there are no certificate extensions set (use openssl in that case to gather the info instead). dscontainter needed to be updated for new cert checks, and UI adding certs improvements. relates: #5768 Reviewed by: spichugi(Thanks!)
mreynolds389
added a commit
that referenced
this issue
May 18, 2023
Description: The certificate type checks for CA/server break if there are no certificate extensions set (use openssl in that case to gather the info instead). dscontainter needed to be updated for new cert checks, and UI adding certs improvements. relates: #5768 Reviewed by: spichugi(Thanks!)
mreynolds389
added a commit
that referenced
this issue
May 18, 2023
Description: The certificate type checks for CA/server break if there are no certificate extensions set (use openssl in that case to gather the info instead). dscontainter needed to be updated for new cert checks, and UI adding certs improvements. relates: #5768 Reviewed by: spichugi(Thanks!)
mreynolds389
added a commit
that referenced
this issue
May 18, 2023
Description: The certificate type checks for CA/server break if there are no certificate extensions set (use openssl in that case to gather the info instead). dscontainter needed to be updated for new cert checks, and UI adding certs improvements. relates: #5768 Reviewed by: spichugi(Thanks!)
lab-at-nohl
pushed a commit
to lab-at-nohl/cockpit-389-ds-containerproxy
that referenced
this issue
May 9, 2024
Description: The certificate type checks for CA/server break if there are no certificate extensions set (use openssl in that case to gather the info instead). dscontainter needed to be updated for new cert checks, and UI adding certs improvements. relates: 389ds/389-ds-base#5768 Reviewed by: spichugi(Thanks!)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Issue Description
Importing CA certs from /data/tls/ca/*.crt into docker container results in error message, container does not start.
Package Version and Platform:
Steps to Reproduce
Expected results
CA certs get imported and used, e.g. for replication via LDAPs later on.
Additional context
dscontainer looks for CA files only at /data/tls/ca/*.crt and stores their filenames in variable cas. It tries to add them using tls.add_cert, but calls this function without parameter ca=True. Accordingly, the CA certs get treated as server certs in function add_cert, but the check cert_is_ca identifies them correctly CA certs, and above error message is raised.
From 389-ds-base/src/lib389/cli/dscontainer, line 139
From 389-ds-base/src/lib389/lib389 /nss_ssl.py, line 1165
The cert_is_ca verification was introduced by commit c69f269 three month ago. Using an older dirsrv 2.2, the ca certs still get imported:
The text was updated successfully, but these errors were encountered: