Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure correct IPA CA nickname in DS and HTTP NSSDBs #173

Closed
wants to merge 1 commit into from
Closed

Ensure correct IPA CA nickname in DS and HTTP NSSDBs #173

wants to merge 1 commit into from

Conversation

frasertweedale
Copy link
Contributor

@frasertweedale frasertweedale commented Oct 20, 2016
edited by HonzaCholasta

During replica installation, if the IPA deployment has a custom
subject_base, the routines that create the DS and HTTP NSSDBs
erroneously compare the subject of CA certs to the default subject
base. This causes the IPA CA cert to be added to the NSSDBs with a
nickname derived from the subject name, instead of "{REALM} IPA CA".

At a later stage of installation, the upload_cacrt plugin reads
certs from the HTTP NSSDB in order to update the cn=certificates
LDAP certstore. The NSSDB nickname of the cert is used as the CN
for the entry. Because the IPA CA cert was not installed in the
HTTP NSSDB with the "{REALM} IPA CA", this causes a spurious entry
for the IPA CA to be added to the certstore.

To avoid this scenario, use the deployment's actual subject base
when deciding if a cert is the IPA CA cert.

Fixes: https://fedorahosted.org/freeipa/ticket/6415

@tkrizek tkrizek self-assigned this Nov 8, 2016
@tkrizek
Copy link
Contributor

tkrizek commented Nov 10, 2016

Works as expected.

@tkrizek tkrizek added the ack Pull Request approved, can be merged label Nov 10, 2016
@frasertweedale
Ensure correct IPA CA nickname in DS and HTTP NSSDBs
a6ce7e0 
During replica installation, if the IPA deployment has a custom
subject_base, the routines that create the DS and HTTP NSSDBs
erroneously compare the subject of CA certs to the *default* subject
base. This causes the IPA CA cert to be added to the NSSDBs with a
nickname derived from the subject name, instead of "{REALM} IPA CA".

At a later stage of installation, the `upload_cacrt` plugin reads
certs from the HTTP NSSDB in order to update the cn=certificates
LDAP certstore.  The NSSDB nickname of the cert is used as the CN
for the entry.  Because the IPA CA cert was not installed in the
HTTP NSSDB with the "{REALM} IPA CA", this causes a spurious entry
for the IPA CA to be added to the certstore.

To avoid this scenario, use the deployment's actual subject base
when deciding if a cert is the IPA CA cert.

Fixes: https://fedorahosted.org/freeipa/ticket/6415
@frasertweedale frasertweedale force-pushed the fix/6415-replica-install-spurious-certstore-entries branch from 1b52c2f to a6ce7e0 Compare November 11, 2016 01:57
@HonzaCholasta
Copy link
Contributor

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/cdd41e06e6ef97efafd36ee9e4c8d3be9e4099e7

@HonzaCholasta HonzaCholasta added the pushed Pull Request has already been pushed label Nov 11, 2016
@frasertweedale frasertweedale deleted the fix/6415-replica-install-spurious-certstore-entries branch November 11, 2016 06:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@tkrizek tkrizek

Labels
ack Pull Request approved, can be merged pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
3 participants
@frasertweedale @tkrizek @HonzaCholasta