Cloning for Fedora

+++ This bug was initially created as a clone of Bug #982932 +++

Description of problem:

When I replace etc/pki/tls/certs/ca-bundle.crt in initrd.img used for installation
it is replaced in stage 2 by that file from install.img

Version-Release number of selected component (if applicable):

anaconda 13.21.195
RHEL-6.5

How reproducible:
always


Steps to Reproduce:
1. setup your own certificate authority (CA), and https server with certificate signed by this CA
2. modify initrd.img - put CA certificate into etc/pki/tls/certs/ca-bundle.crt
3. prepare kickstart with url --url=https://yourserver/path 
4. start new installation with ks parameter pointing to your kickstart

Actual results:

1. anaconda is able download product.img, install.img but is not able to download repomd.xml

2. /etc/pki/tls/certs/ca-bundle.crt is replaced by file from install.img 

Expected results:

1. ca-bundle.crt is not replaced or is merged
2. anaconda will continue in installation


--- Additional comment from David Cantrell on 2013-07-31 20:50:37 EEST ---

We have never had official support for updating ca-bundle.crt on the installation media or really any other install-time method to supplement the CA's provided.  Both the 'url' and 'repo' kickstart commands have the --noverifyssl option to work around the local self-signed certificate issues.

For this RFE to be considered in RHEL, we would first need to see a design and implementation in Fedora.  The 'url' and 'repo' kickstart commands could be expanded to also accept a .pem file or data somehow provided in the kickstart file and the installer could supplement the ca-bundle.crt at run time.  That's just an idea.

I'll leave it to you to file the RFE for Fedora.  Setting this bug to devel_ack-