Skip to content

Commit

Permalink
IPAOpenSSLChainValidation: ignore default trust store
Browse files Browse the repository at this point in the history
The check IPAOpenSSLChainValidation is ensuring that the
whole certification chain is present in IPA for httpd and RA
certificates.
It internally calls openssl verify -CAfile /etc/ipa/ca.crt.

With the latest version of ca-certificates package, openssl
verify also uses the default trust store. Since the
test wants to check the chain presence in /etc/ipa/ca.crt, add
the -no-CAfile -no-CApath and -no-CAstore options to ensure that
only /etc/ipa/ca.crt is used as trusted source.

Fixes: #340

Signed-off-by: Florence Blanc-Renaud <[email protected]>
  • Loading branch information
flo-renaud committed Oct 9, 2024
1 parent e32c890 commit f229ee9
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions src/ipahealthcheck/ipa/certs.py
Original file line number Diff line number Diff line change
Expand Up @@ -1074,6 +1074,7 @@ def validate_openssl(self, file):
'-verbose',
'-show_chain',
'-CAfile', paths.IPA_CA_CRT,
'-no-CAfile', '-no-CApath', '-no-CAstore',
file]

return ipautil.run(args, raiseonerr=False)
Expand Down

0 comments on commit f229ee9

Please sign in to comment.