Bug 1007817

Summary: [ RFE ] - Add method of updating ca-bundle.crt
Product: [Fedora] Fedora Reporter: Alexander Todorov <atodorov>
Component: anacondaAssignee: Anaconda Maintenance Team <anaconda-maint-list>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: anaconda-maint-list, dshea, g.kaviyarasu, jonathan, mkolman, pjanda, sbueno, vanmeeuwen+fedora
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 982932 Environment:
Last Closed: 2014-01-16 20:11:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Alexander Todorov 2013-09-13 11:35:05 UTC 
Cloning for Fedora

+++ This bug was initially created as a clone of Bug #982932 +++

Description of problem:

When I replace etc/pki/tls/certs/ca-bundle.crt in initrd.img used for installation
it is replaced in stage 2 by that file from install.img

Version-Release number of selected component (if applicable):

anaconda 13.21.195
RHEL-6.5

How reproducible:
always


Steps to Reproduce:
1. setup your own certificate authority (CA), and https server with certificate signed by this CA
2. modify initrd.img - put CA certificate into etc/pki/tls/certs/ca-bundle.crt
3. prepare kickstart with url --url=https://yourserver/path 
4. start new installation with ks parameter pointing to your kickstart

Actual results:

1. anaconda is able download product.img, install.img but is not able to download repomd.xml

2. /etc/pki/tls/certs/ca-bundle.crt is replaced by file from install.img 

Expected results:

1. ca-bundle.crt is not replaced or is merged
2. anaconda will continue in installation


--- Additional comment from David Cantrell on 2013-07-31 20:50:37 EEST ---

We have never had official support for updating ca-bundle.crt on the installation media or really any other install-time method to supplement the CA's provided.  Both the 'url' and 'repo' kickstart commands have the --noverifyssl option to work around the local self-signed certificate issues.

For this RFE to be considered in RHEL, we would first need to see a design and implementation in Fedora.  The 'url' and 'repo' kickstart commands could be expanded to also accept a .pem file or data somehow provided in the kickstart file and the installer could supplement the ca-bundle.crt at run time.  That's just an idea.

I'll leave it to you to file the RFE for Fedora.  Setting this bug to devel_ack-
Comment 1 Chris Lumens 2013-12-09 17:21:33 UTC 
Can you not just use an updates.img for this purpose?  It should just overlay whatever's on the installation media.