Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 451014 - ipa-server-certinstall - Directory name error
Summary: ipa-server-certinstall - Directory name error
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: freeIPA
Classification: Retired
Component: ipa-server
Version: 1.0
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
: 452300 (view as bug list)
Depends On:
Blocks: 453489
TreeView+ depends on / blocked
 
Reported: 2008-06-12 11:58 UTC by Eric Desgranges
Modified: 2015-01-04 23:32 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-08-04 18:21:23 UTC


Attachments (Terms of Use)
properly convert realm name into DS instance name (deleted)
2008-07-01 14:15 UTC, Rob Crittenden
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0643 normal SHIPPED_LIVE ipa bug fix update 2008-08-04 18:20:50 UTC

Description Eric Desgranges 2008-06-12 11:58:14 UTC
ipa-server-certinstall -d .....

assumes CA certificate is located in:
/etc/dirsrv/slapd-DOMAIN.COM/

but IPA installation routines put it in:
/etc/dirsrv/slapd-DOMAIN-COM/

('.' vs '-').

Comment 1 Rob Crittenden 2008-06-12 19:02:40 UTC
The fix for this is:

diff --git a/ipa-server/ipa-install/ipa-server-certinstall b/ipa-server/ipa-inst
all/ipa-server-certinstall
index e769627..90130e4 100644
--- a/ipa-server/ipa-install/ipa-server-certinstall
+++ b/ipa-server/ipa-install/ipa-server-certinstall
@@ -134,7 +134,7 @@ def main():
         if options.dirsrv:
             dm_password = getpass.getpass("Directory Manager password: ")
             realm = get_realm_name()
-            dirname = dsinstance.config_dirname(realm)
+            dirname = dsinstance.config_dirname(dsinstance.realm_to_serverid(re
alm))
             server_cert = import_cert(dirname, pkcs12_fname)
             set_ds_cert_name(server_cert[0], dm_password)


Comment 2 Rob Crittenden 2008-07-01 14:15:49 UTC
Created attachment 310674 [details]
properly convert realm name into DS instance name

Comment 3 Rob Crittenden 2008-07-01 19:12:40 UTC
master: e9196e2d9311f4de0423745568fe72f69dc4fa52

Comment 4 Rob Crittenden 2008-07-03 17:30:19 UTC
Need to commit to ipa-1-0 branch as well

Comment 5 Rob Crittenden 2008-07-03 17:52:07 UTC
*** Bug 452300 has been marked as a duplicate of this bug. ***

Comment 6 Rob Crittenden 2008-07-03 19:28:57 UTC
ipa-1-0: 23a9b65c9c0c82985cdc0efbe15c9530ab9da72d

Comment 9 Yi Zhang 2008-07-24 23:07:52 UTC
Bug verification: passed

test:
step 1: generate self-sign cert
step 2: run ipa-server-certinstall -d to import cert

test output is below:
--------------------------------------
[step 1]

server64[07/22/08 19:48]/tmp/nss >certutil -L -d . -n yi-cert-01

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 123 (0x7b)
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "CN=ipaqa.ipa.com,O=redhat"
        Validity:
            Not Before: Wed Jul 23 02:48:18 2008
            Not After : Sat Jan 23 02:48:18 2010
        Subject: "CN=ipaqa.ipa.com,O=redhat"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    e9:8e:ad:c0:cf:ac:f9:64:7e:85:73:7f:45:88:e0:21:
                    cf:68:00:e9:5c:cd:ac:71:ea:9a:6f:87:72:1f:d5:d1:
                    7b:de:34:70:e0:c6:db:60:c5:41:74:e1:38:0c:59:54:
                    53:27:e7:78:41:dd:d0:42:65:97:dc:8c:b1:60:70:df:
                    b1:c5:dd:4f:bf:a9:74:ed:f9:a9:a6:4a:7a:db:f2:18:
                    08:8f:b7:84:5b:74:eb:9e:7f:f9:af:51:54:ce:f0:a3:
                    4d:5d:4c:eb:51:b1:ea:69:c8:4f:d2:2c:40:91:21:3a:
                    bf:e2:00:89:6e:cc:3e:39:35:f9:62:0d:7b:3f:2d:e1
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Basic Constraints
            Critical: True
            Data: Is a CA with no maximum path length.

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Non-Repudiation
                    Data Encipherment
                    Key Agreement
                    Certificate Signing
                    CRL Signing

    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
    Signature:
        9e:7c:31:64:f3:98:7e:08:d5:2a:97:26:ef:5c:8b:5c:
        fb:0d:22:18:e4:68:1a:31:02:18:3e:d0:52:80:c7:99:
        ff:3a:17:b5:85:00:5a:26:46:1b:ed:ae:d8:98:ad:70:
        ab:a5:06:a3:e4:6a:fd:ce:c5:cf:65:9a:14:17:0d:54:
        71:10:aa:95:e0:45:d3:a9:35:68:e6:4c:33:c2:00:11:
        7b:17:96:1d:2b:e8:e5:c8:9a:19:dc:b7:c4:48:87:01:
        b8:f2:1b:cd:4a:74:19:13:2f:6b:34:36:a5:41:d7:11:
        5b:9f:cb:ed:c4:72:c6:03:b2:3c:7d:ed:eb:24:9e:26
    Fingerprint (MD5):
        7B:45:85:22:6B:7C:D7:31:67:DD:22:AD:70:EC:04:9B
    Fingerprint (SHA1):
        DA:1A:DB:0D:C4:26:99:B9:F4:D2:E3:A6:53:3B:EE:74:82:DF:91:71

    Certificate Trust Flags:
        SSL Flags:
            Valid CA
            Trusted CA
            User
            Trusted Client CA
        Email Flags:
            Valid CA
            Trusted CA
            User
        Object Signing Flags:
            Valid CA
            Trusted CA
            User
----------------------------------
[step 2]

server64[07/22/08 19:48]/tmp/nss >ipa-server-certinstall -d
--dirsrv_pin=netscape /tmp/nss/yi.p12 
Directory Manager password: 
Please select the certificate to use:
1. Certificate Nickname Trust
2. yi-cert-01
Certificate number [1]: 2

You have new mail in /var/spool/mail/root
server64[07/22/08 19:48]/tmp/nss >certutil -L -d /etc/dirsrv/slapd-IPAQA-COM/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

yi-cert-01                                                   CTu,Cu,u


Comment 11 errata-xmlrpc 2008-08-04 18:21:23 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0643.html


Note You need to log in before you can comment on or make changes to this bug.