#5201 ipa-client-install asks downloading CA cert that is already present in the system (in Shared System Certificates)
Closed: wontfix 5 years ago Opened 8 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1251492

Description of problem:
ipa-client-install asks CA with certificate in Shared System Certificates

Version-Release number of selected component (if applicable):
ipa-client-4.2.0-3.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. have a fresh RHEL 7.2 machine - a prospective IPA client
2. add IPA cert to shared system certs (it should be retrieved from
already-trusted location in production use)
> # wget -O /etc/pki/ca-trust/source/anchors/ipa.pem
http://ipa.example.org/ipa/config/ca.crt
> # update-ca-trust
3. run ipa-client install without --ca-cert-file option

Actual results:
ipa-client-install asks if it should download the cert from IPA itself

Expected results:
ipa-client-install should know use the cert from shared certificates

Additional info:

Metadata Update from @pvoborni:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog

7 years ago

After reviewing this request, we finally considered to close it as WONTFIX.

--ca-cert-file option already provides a way to sideload a CA certificate chain which will not verify its validity for IPA domain by not talking to the IPA master.

The method as described in the description does not utilize existing and documented feature. We do not have any way of verifying whether a particular certificate from the system-wide store is valid for IPA domain because there is no general constraint for that for CAs. Technically, any CA from a trusted store could issue a certificate for IPA domain and the only way to validate that is by contacting some existing IPA server with a server certificate that could be validated. However, such a procedure means we can equally well retrieve the CA certificate chain that IPA master advertises.

As result, if you want to avoid the validation, use --ca-cert-file for side-loading of CA certificate.

Metadata Update from @rcritten:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

5 years ago

Login to comment on this ticket.

Metadata