RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1251492 - ipa-client-install asks downloading CA cert that is already present in the system (in Shared System Certificates)
Summary: ipa-client-install asks downloading CA cert that is already present in the sy...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-08-07 13:48 UTC by David Jaša
Modified: 2018-11-29 16:09 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-11-29 16:09:34 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description David Jaša 2015-08-07 13:48:43 UTC
Description of problem:
ipa-client-install asks CA with certificate in Shared System Certificates

Version-Release number of selected component (if applicable):
ipa-client-4.2.0-3.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. have a fresh RHEL 7.2 machine - a prospective IPA client
2. add IPA cert to shared system certs (it should be retrieved from already-trusted location in production use)
> # wget -O /etc/pki/ca-trust/source/anchors/ipa.pem http://ipa.example.org/ipa/config/ca.crt
> # update-ca-trust
3. run ipa-client install without --ca-cert-file option

Actual results:
ipa-client-install asks if it should download the cert from IPA itself

Expected results:
ipa-client-install should know use the cert from shared certificates

Additional info:

Comment 1 Petr Vobornik 2015-08-11 14:19:08 UTC
edge case, moving to 7.3

Comment 2 Petr Vobornik 2015-08-11 14:20:23 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5201

Comment 4 Alexander Bokovoy 2018-11-29 16:09:34 UTC
After reviewing this request, we finally considered to close it as WONTFIX.

--ca-cert-file option already provides a way to sideload a CA certificate chain which will not verify its validity for IPA domain by not talking to the IPA master.

The method as described in the description does not utilize existing and documented feature. We do not have any way of verifying whether a particular certificate from the system-wide store is valid for IPA domain because there is no general constraint for that for CAs. Technically, any CA from a trusted store could issue a certificate for IPA domain and the only way to validate that is by contacting some existing IPA server with a server certificate that could be validated. However, such a procedure means we can equally well retrieve the CA certificate chain that IPA master advertises.

As result, if you want to avoid the validation, use --ca-cert-file for side-loading of CA certificate.


Note You need to log in before you can comment on or make changes to this bug.