RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Description of problem:
ipa-client-install asks CA with certificate in Shared System Certificates

Version-Release number of selected component (if applicable):
ipa-client-4.2.0-3.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. have a fresh RHEL 7.2 machine - a prospective IPA client
2. add IPA cert to shared system certs (it should be retrieved from already-trusted location in production use)
> # wget -O /etc/pki/ca-trust/source/anchors/ipa.pem http://ipa.example.org/ipa/config/ca.crt
> # update-ca-trust
3. run ipa-client install without --ca-cert-file option

Actual results:
ipa-client-install asks if it should download the cert from IPA itself

Expected results:
ipa-client-install should know use the cert from shared certificates

Additional info:

edge case, moving to 7.3

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5201

After reviewing this request, we finally considered to close it as WONTFIX.

--ca-cert-file option already provides a way to sideload a CA certificate chain which will not verify its validity for IPA domain by not talking to the IPA master.

The method as described in the description does not utilize existing and documented feature. We do not have any way of verifying whether a particular certificate from the system-wide store is valid for IPA domain because there is no general constraint for that for CAs. Technically, any CA from a trusted store could issue a certificate for IPA domain and the only way to validate that is by contacting some existing IPA server with a server certificate that could be validated. However, such a procedure means we can equally well retrieve the CA certificate chain that IPA master advertises.

As result, if you want to avoid the validation, use --ca-cert-file for side-loading of CA certificate.