[Pkg-freeipa-devel] Bug#924590: freeipa-client: /usr/local/share/ca-certificates/ipa-ca.crt contains multiple certificates and extra non-certificate data

Sam Morris sam at robots.org.uk
Thu Mar 14 17:58:49 GMT 2019

Package: freeipa-client
Version: 4.7.2-2
Severity: wishlist

My FreeIPA's CA certificate is signed by an external root CA certificate.
Consequenty, ipa-client-install puts both the external root CA certificate
and the intermediate CA certificate into

This has caused problems with the clients of ca-certificates in the
past. For instance, p11-kit expects the files in that directory to not
contain any comments or other text. When it encountered the file that
ipa-client-install put there, it 'failed shut' and as a result the trust
list ended up being empty!

This was fixed on the p11-kit end, but on reflection I feel that even
though the exact specification of what is valid in
/usr/local/share/ca-certificates is not written down anywhere,
freeipa-client should not violate the following rules:

 1. .crt files in that directory should only contain root CA certificates
 2. .crt files in that directory should not contain comments or any
    non-certificate data
 3. .crt files in that directory should contain only one certificate

You might argue that if update-ca-certificates wants to enforce any or
all of the above rules, that it should at least warn when they are
violated and skip the file, rather than silently including it into
/etc/ssl/certs/ca-certificates.crt for it to confuse clients. I wouldn't
necessarily disagree; feel free to reassign this to ca-certificates if
that is the case, for the maintainers of that package to consider if
what freeipa-client is doing is right or wrong. :)

-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (570, 'testing-debug'), (570, 'testing'), (540, 'unstable-debug'), (540, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages freeipa-client depends on:
ii  bind9utils                   1:9.11.5.P4+dfsg-1
ii  certmonger                   0.79.6-1
ii  curl                         7.64.0-1
ii  dnsutils                     1:9.11.5.P4+dfsg-1
ii  freeipa-common               4.7.2-2
ii  krb5-user                    1.17-2
ii  libbasicobjects0             0.6.1-2
ii  libc6                        2.28-8
ii  libcollection4               0.6.1-2
ii  libcom-err2                  1.44.5-1
ii  libini-config5               0.6.1-2
ii  libk5crypto3                 1.17-2
ii  libkrb5-3                    1.17-2
ii  libldap-2.4-2                2.4.47+dfsg-3
ii  libnspr4                     2:4.20-1
ii  libnss-sss                   1.16.3-3.1
ii  libnss3                      2:3.42.1-1
ii  libnss3-tools                2:3.42.1-1
ii  libpam-sss                   1.16.3-3.1
ii  libpopt0                     1.16-12
ii  libref-array1                0.6.1-2
ii  libsasl2-2                   2.1.27+dfsg-1
ii  libsasl2-modules-gssapi-mit  2.1.27+dfsg-1
ii  libssl1.1                    1.1.1b-1
ii  libsss-sudo                  1.16.3-3.1
ii  libxmlrpc-core-c3            1.33.14-8+b1
ii  oddjob-mkhomedir             0.34.4-1
ii  python                       2.7.15-4
ii  python-dnspython             1.16.0-1
ii  python-gssapi                1.4.1-1+b1
ii  python-ipaclient             4.7.2-2
ii  python-ldap                  3.1.0-2
ii  python-sss                   1.16.3-3.1
ii  sssd                         1.16.3-3.1

Versions of packages freeipa-client recommends:
ii  chrony  3.4-2

Versions of packages freeipa-client suggests:
pn  libpam-krb5  <none>

-- no debconf information

More information about the Pkg-freeipa-devel mailing list