Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1031111

Summary: ipa-client: add root CA to trust anchors if not already available
Product: Red Hat Enterprise Linux 7 Reporter: David Jaša <djasa>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: awilliam, pviktori, rcritten, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.0.3-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:10:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Jaša 2013-11-15 16:06:34 UTC 
Description of problem:
currently, when machine is added to FreeIPA/IdM domain and FreeIPAs certificate is not among trust anchors of the system, administrator has to add it (or the CA that signed IdM's CA) to the trust anchors manually. This task can be automated for administrator thanks to Shared System Certificates:
1. export freeipa CA (or some CA in its chain) to pem file
2. move/copy the pem file to /etc/pki/ca-trust/source/anchors/
3. call 'update-ca-trust'
In future releases of p11-kit, the procedure will be simplified by merging steps 2+3 to a single command: trust anchor /path/to/exported_cert.pem

Version-Release number of selected component (if applicable):
ipa-client-3.3.3-3.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. add host to ipa domain using ipa-client-install
2. look if IdM's CA cert (or it's root CA certificate) is installed
3.

Actual results:
CA anchor must be manually added (or be in store prior to ipa-client-install time)

Expected results:
CA anchor is added as part of ipa-client-install

Additional info:
This upstream ticket seems to deal with the same issue: https://fedorahosted.org/freeipa/ticket/3504
Comment 1 Martin Kosek 2013-11-17 21:05:30 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3504
Comment 2 Petr Viktorin (pviktori) 2013-11-20 12:17:23 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/4a0e91449e2b65304ae8d660d1a480200b1a13d3
Comment 4 Adam Williamson 2014-09-06 20:58:01 UTC 
If this gets backported to RHEL 7, could we also get it for F19 and F20? I just ran into this today (writing a blog post about it ATM), it'd be nice for people not to have to work out / find out about the workaround.
Comment 5 Martin Kosek 2014-09-11 10:09:14 UTC 
This commit is part of FreeIPA 4.0+ builds, as such it is only officially built for F21 and older. For older Fedoras (and EPEL-7 in future), we are maintaining a COPR repo:

http://copr.fedoraproject.org/coprs/mkosek/freeipa/

If this is not sufficient and the bug is blocking you, I would be open to backport the patch to older FreeIPA 3.3.x releases. Please file official Fedora bug request in that case.
Comment 7 Scott Poore 2015-01-27 19:47:00 UTC 
Should I see /etc/pki/ca-trust/source/anchors/ipa-ca.crt?

I do not see this file at the end of ipa-client-install.

Version ::

ipa-client-4.1.0-16.el7.x86_64

This was installing client for master with self signed ca cert.

[root@rhel7-2 ~]# ipa-client-install
Discovery was successful!
Hostname: rhel7-2.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: rhel7-1.example.com
BaseDN: dc=example,dc=com

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
User authorized to enroll computers: admin
Password for admin: 
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=EXAMPLE.COM
    Issuer:      CN=Certificate Authority,O=EXAMPLE.COM
    Valid From:  Tue Jan 27 19:19:00 2015 UTC
    Valid Until: Sat Jan 27 19:19:00 2035 UTC

Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
trying https://rhel7-1.example.com/ipa/json
Forwarding 'ping' to json server 'https://rhel7-1.example.com/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://rhel7-1.example.com/ipa/json'
Systemwide CA database updated.
Added CA certificates to the default NSS database.
Hostname (rhel7-2.example.com) not found in DNS
DNS server record set to: rhel7-2.example.com -> 192.168.122.72
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://rhel7-1.example.com/ipa/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring example.com as NIS domain.
Client configuration complete.
[root@rhel7-2 ~]# certutil -L -d /etc/pki/nssdb

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

EXAMPLE.COM IPA CA                                           CT,C,C

[root@rhel7-2 ~]# ls -l /etc/pki/ca-trust/source/anchors/
total 0

From the logs, I see:

2015-01-27T19:24:01Z DEBUG Adding CA certificates to the IPA NSS database.
2015-01-27T19:24:01Z DEBUG Starting external process
2015-01-27T19:24:01Z DEBUG args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-A' '-n' 'EXAMPLE.COM IPA CA' '-t' 'CT,C,C'
2015-01-27T19:24:01Z DEBUG Process finished, return code=0
2015-01-27T19:24:01Z DEBUG stdout=
2015-01-27T19:24:01Z DEBUG stderr=
2015-01-27T19:24:01Z DEBUG Starting external process
2015-01-27T19:24:01Z DEBUG args='/usr/bin/update-ca-trust'
2015-01-27T19:24:02Z DEBUG Process finished, return code=0
2015-01-27T19:24:02Z DEBUG stdout=
2015-01-27T19:24:02Z DEBUG stderr=
2015-01-27T19:24:02Z INFO Systemwide CA database updated.
2015-01-27T19:24:02Z DEBUG Attempting to add CA certificates to the default NSS database.
2015-01-27T19:24:02Z DEBUG Starting external process
2015-01-27T19:24:02Z DEBUG args='/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-A' '-n' 'EXAMPLE.COM IPA CA' '-t' 'CT,C,C'
2015-01-27T19:24:02Z DEBUG Process finished, return code=0
2015-01-27T19:24:02Z DEBUG stdout=
2015-01-27T19:24:02Z DEBUG stderr=
2015-01-27T19:24:02Z INFO Added CA certificates to the default NSS database.

Is this expected behavior?
Comment 8 Scott Poore 2015-01-28 16:44:16 UTC 
Verified.

Ok.  Jan Cholasta pointed me to check /etc/pki/ca-trust-source/ipa.p11-kit.



Version ::

ipa-client-4.1.0-16.el7.x86_64

Results ::

So, between successful log entries in comment #7 and seeing this file in place, this is verified.

[root@rhel7-2 ~]# ls -ld /etc/pki/ca-trust/source/ipa.p11-kit
-rw-r--r--. 1 root root 3566 Jan 27 13:24 /etc/pki/ca-trust/source/ipa.p11-kit
Comment 10 errata-xmlrpc 2015-03-05 10:10:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html