Bug 1882697
| Summary: | [RFE] Building clientrpm using rhui-manager should provide additional step to make sslcacert optional. | ||
|---|---|---|---|
| Product: | Red Hat Update Infrastructure for Cloud Providers | Reporter: | Akshay Kapse <akapse> |
| Component: | RHUA | Assignee: | RHUI Bug List <rhui-bugs> |
| Status: | CLOSED MIGRATED | QA Contact: | Radek Bíba <rbiba> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 3.1.5 | CC: | gtanzill, mminar |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | 4.x | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2025-09-04 07:21:21 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Any work on this RFE will be tracked in the linked Jira ticket. Closing this BZ. |
Description of problem: When an actual legit root CA signed certificate is in place, this line isn't needed because a valid root CA would already be installed (and trusted) on the client via the ca-bundle (usually located in - /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt). While building clientrpms in rhui-manager, as per RHUI version 2.1, there should be an option to either specify the 1-way trust SSL CA certificate used (or confirm the default) or as a completely new feature, remove the option entirely. i.e. Default option is the self-signed CA cert that the RHUA created, but have an option to override it to be blank (which would therefore remove the sslcaverify= line from the rh-cloud.repo file located in build/SOURCES/${PACKAGE_NAME}-2.0.tar.gz). When Trusted CA signed SSL certificates are in use on the HAP/CDS', there is no requirement to use sslcaverify= in the rh-cloud.repo file that is packaged up in the client rpm file. In fact, having the entry here actually prevents secure SSL communications between the client and the server due to a certificate signing mismatch. The client would already trust a Trusted CA signed certificate as its CA would be in the CA-Bundle (usually located here - /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt) negating the need to specify it in the repo file.