Bug 1251492
| Summary: | ipa-client-install asks downloading CA cert that is already present in the system (in Shared System Certificates) | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | David Jaša <djasa> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED WONTFIX | QA Contact: | Namita Soman <nsoman> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.2 | CC: | abokovoy, pasik, pvoborni, rcritten |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-11-29 16:09:34 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
edge case, moving to 7.3 Upstream ticket: https://fedorahosted.org/freeipa/ticket/5201 After reviewing this request, we finally considered to close it as WONTFIX. --ca-cert-file option already provides a way to sideload a CA certificate chain which will not verify its validity for IPA domain by not talking to the IPA master. The method as described in the description does not utilize existing and documented feature. We do not have any way of verifying whether a particular certificate from the system-wide store is valid for IPA domain because there is no general constraint for that for CAs. Technically, any CA from a trusted store could issue a certificate for IPA domain and the only way to validate that is by contacting some existing IPA server with a server certificate that could be validated. However, such a procedure means we can equally well retrieve the CA certificate chain that IPA master advertises. As result, if you want to avoid the validation, use --ca-cert-file for side-loading of CA certificate. |
Description of problem: ipa-client-install asks CA with certificate in Shared System Certificates Version-Release number of selected component (if applicable): ipa-client-4.2.0-3.el7.x86_64 How reproducible: always Steps to Reproduce: 1. have a fresh RHEL 7.2 machine - a prospective IPA client 2. add IPA cert to shared system certs (it should be retrieved from already-trusted location in production use) > # wget -O /etc/pki/ca-trust/source/anchors/ipa.pem http://ipa.example.org/ipa/config/ca.crt > # update-ca-trust 3. run ipa-client install without --ca-cert-file option Actual results: ipa-client-install asks if it should download the cert from IPA itself Expected results: ipa-client-install should know use the cert from shared certificates Additional info: