Issue #132: ipa-submit should use system trust - certmonger

certmonger

#132 ipa-submit should use system trust

Closed: fixed May 14, 2021 by rcritten. Opened Sep 23, 2019 by ftweedal.

The ipa-submit helper configures libcurl to use /etc/ipa/ca.crt for CA trust. But if the client is not IPA-enrolled via ipa-client-install (e.g. ipa-getkeytab was used to get host keytab), then this file doesn't necessarily exist. It leads to hard-to-diagnose request failures.

ipa-submit should just use the system trust store. On an IPA server or client this will include the IPA CA. But it means that it will be easier to use the IPA helper on non-IPA-enrolled machines too.

rcritten commented Sep 23, 2019

What is the use case for this? Why would you expect to use an IPA master without being enrolled as an IPA client?

Granted, with system trust now working properly passing a specific CA is probably no longer necessary.

ftweedal commented Sep 24, 2019

@rcritten use case outlined in blog post: https://frasertweedale.github.io/blog-redhat/posts/2019-09-23-direct-integration-ipa-certs.html. AD-enrolled system getting certs from IPA.

Metadata Update from @rcritten:
- Issue assigned to rcritten

Feb 17, 2021

rcritten commented Feb 17, 2021

I think if we do an existence check on /etc/ipa/ca.crt that will satisfy the request.

rcritten commented Feb 18, 2021

PR https://pagure.io/certmonger/pull-request/194

rcritten commented May 14, 2021

https://pagure.io/certmonger/c/881a1af1948d529a77fafc4c41b976df79f13991

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

May 14, 2021