Bug 1710632

Summary: certmonger should download full CA chain from IPA
Product: Red Hat Enterprise Linux 8 Reporter: Rob Crittenden <rcritten>
Component: certmongerAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: high Docs Contact:
Priority: high    
Version: 8.0CC: averi, ksiddiqu, mschuppe, myusuf, nalin, nkinder, pcech, pmorey, pvoborni, tscherf
Target Milestone: rcKeywords: ZStream
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: certmonger-0.79.7-4 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1844399 1844402 1845082 (view as bug list) Environment:
Last Closed: 2020-04-28 16:01:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1844399, 1844402, 1845082    

Description Rob Crittenden 2019-05-15 22:07:16 UTC 
Description of problem:
certmonger can download the root certificate from an IPA master. It currently uses cn=cacert,cn=ipa,cn=etc, $SUFFIX as the source of that but it should use cn=certificates,cn=ipa,cn=etc,$SUFFIX instead to pull in all know CA certificates. This will include the entire chain that needs to be trusted by IPA.

This is for use with the -F option.

Note that IPA provides a mechanism to download these certificates system-wide, ipa-certupdate.

Version-Release number of selected component (if applicable):
certmonger-0.79.6-5.el8
Comment 3 Rob Crittenden 2019-10-16 20:22:34 UTC 
master: b7bcb1b3b953c2052e2d89cb2b3e9d9ccd1b3864
Comment 8 Mohammad Rizwan 2020-01-20 09:16:28 UTC 
Test passed in CI pipeline. Hence marking the bug as verified.
Comment 9 Rob Crittenden 2020-04-14 21:31:54 UTC 
Correction to upstream patch
64702b25951ce996532afea7d627612d6bba7451
720922b88fb32aeeddca74d01e4824ce8a08910d
Comment 10 Andrea Veri 2020-04-15 19:47:36 UTC 
Rob,

I can confirm your patch works great for RHEL 7 as well, would you mind spinning an errata and push it to RHEL 7 as well for inclusion? 

Thanks,
Comment 11 Rob Crittenden 2020-04-15 22:08:54 UTC 
It's not as simple as that.
Comment 13 errata-xmlrpc 2020-04-28 16:01:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1704