Bug 1710632

Summary: certmonger should download full CA chain from IPA
Product: Red Hat Enterprise Linux 8 Reporter: Rob Crittenden <rcritten>
Component: certmongerAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.0CC: averi, ksiddiqu, mschuppe, myusuf, nalin, nkinder, pcech, pvoborni, tscherf
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: certmonger-0.79.7-4 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:01:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Rob Crittenden 2019-05-15 22:07:16 UTC
Description of problem:
certmonger can download the root certificate from an IPA master. It currently uses cn=cacert,cn=ipa,cn=etc, $SUFFIX as the source of that but it should use cn=certificates,cn=ipa,cn=etc,$SUFFIX instead to pull in all know CA certificates. This will include the entire chain that needs to be trusted by IPA.

This is for use with the -F option.

Note that IPA provides a mechanism to download these certificates system-wide, ipa-certupdate.

Version-Release number of selected component (if applicable):

Comment 3 Rob Crittenden 2019-10-16 20:22:34 UTC
master: b7bcb1b3b953c2052e2d89cb2b3e9d9ccd1b3864

Comment 8 Mohammad Rizwan 2020-01-20 09:16:28 UTC
Test passed in CI pipeline. Hence marking the bug as verified.

Comment 9 Rob Crittenden 2020-04-14 21:31:54 UTC
Correction to upstream patch

Comment 10 Andrea Veri 2020-04-15 19:47:36 UTC

I can confirm your patch works great for RHEL 7 as well, would you mind spinning an errata and push it to RHEL 7 as well for inclusion? 


Comment 11 Rob Crittenden 2020-04-15 22:08:54 UTC
It's not as simple as that.

Comment 13 errata-xmlrpc 2020-04-28 16:01:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.