[Pkg-freeipa-devel] Bug#924590: freeipa-client: /usr/local/share/ca-certificates/ipa-ca.crt contains multiple certificates and extra non-certificate data
Sam Morris
sam at robots.org.uk
Thu Mar 14 17:58:49 GMT 2019
Package: freeipa-client
Version: 4.7.2-2
Severity: wishlist
My FreeIPA's CA certificate is signed by an external root CA certificate.
Consequenty, ipa-client-install puts both the external root CA certificate
and the intermediate CA certificate into
/usr/local/share/ca-certificates/ipa-ca.crt.
This has caused problems with the clients of ca-certificates in the
past. For instance, p11-kit expects the files in that directory to not
contain any comments or other text. When it encountered the file that
ipa-client-install put there, it 'failed shut' and as a result the trust
list ended up being empty!
This was fixed on the p11-kit end, but on reflection I feel that even
though the exact specification of what is valid in
/usr/local/share/ca-certificates is not written down anywhere,
freeipa-client should not violate the following rules:
1. .crt files in that directory should only contain root CA certificates
2. .crt files in that directory should not contain comments or any
non-certificate data
3. .crt files in that directory should contain only one certificate
You might argue that if update-ca-certificates wants to enforce any or
all of the above rules, that it should at least warn when they are
violated and skip the file, rather than silently including it into
/etc/ssl/certs/ca-certificates.crt for it to confuse clients. I wouldn't
necessarily disagree; feel free to reassign this to ca-certificates if
that is the case, for the maintainers of that package to consider if
what freeipa-client is doing is right or wrong. :)
-- System Information:
Debian Release: buster/sid
APT prefers testing-debug
APT policy: (570, 'testing-debug'), (570, 'testing'), (540, 'unstable-debug'), (540, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages freeipa-client depends on:
ii bind9utils 1:9.11.5.P4+dfsg-1
ii certmonger 0.79.6-1
ii curl 7.64.0-1
ii dnsutils 1:9.11.5.P4+dfsg-1
ii freeipa-common 4.7.2-2
ii krb5-user 1.17-2
ii libbasicobjects0 0.6.1-2
ii libc6 2.28-8
ii libcollection4 0.6.1-2
ii libcom-err2 1.44.5-1
ii libini-config5 0.6.1-2
ii libk5crypto3 1.17-2
ii libkrb5-3 1.17-2
ii libldap-2.4-2 2.4.47+dfsg-3
ii libnspr4 2:4.20-1
ii libnss-sss 1.16.3-3.1
ii libnss3 2:3.42.1-1
ii libnss3-tools 2:3.42.1-1
ii libpam-sss 1.16.3-3.1
ii libpopt0 1.16-12
ii libref-array1 0.6.1-2
ii libsasl2-2 2.1.27+dfsg-1
ii libsasl2-modules-gssapi-mit 2.1.27+dfsg-1
ii libssl1.1 1.1.1b-1
ii libsss-sudo 1.16.3-3.1
ii libxmlrpc-core-c3 1.33.14-8+b1
ii oddjob-mkhomedir 0.34.4-1
ii python 2.7.15-4
ii python-dnspython 1.16.0-1
ii python-gssapi 1.4.1-1+b1
ii python-ipaclient 4.7.2-2
ii python-ldap 3.1.0-2
ii python-sss 1.16.3-3.1
ii sssd 1.16.3-3.1
Versions of packages freeipa-client recommends:
ii chrony 3.4-2
Versions of packages freeipa-client suggests:
pn libpam-krb5 <none>
-- no debconf information
More information about the Pkg-freeipa-devel
mailing list