Hi All,
We run a FreeIPA server (3.0.0) on SL6. Fedora 21 clients are unable to
complete freeipa-client-install. It fails due to a parsing error of the
CA certificate. I tracked down the error and it seems our
cn=CACert,cn=ipa,cn=etc entry is invalid. This is the ldif:
dn: cn=CACert,cn=ipa,cn=etc,dc=xyz,dc=abc, dc=de
objectClass: top
objectClass: pkiCA
objectClass: nsContainer
cn: CAcert
cACertificate;binary:: (this fields contains base64 encoded data, not
binary data)
I modified the certstore.py script and changed line 299 from
cert = entry.single_value['cACertificate;binary']
to:
cert = base64.b64decode(entry.single_value['cACertificate;binary'])
after that ipa-client-install completes without a problem.
We run FreeIPA for a few years now so perhaps something went wrong with
an update of the server at some point and the cn=CACert entry was not
updated correctly.
What's the valid format of the CACert entry in LDAP? Can we change it to
binary without other clients ending up in trouble? Guessing from the
get_ca_certs function we also want other attributes like ipaCertSubject,
ipaCertIssuerSerial,... These are also missing in our server but perhaps
these were only added in later FreeIPA server versions.
Thanks,
Bram
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
