From f229ee93887dbf2fc09b2d9a3f77ba3942264168 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 9 Oct 2024 16:02:28 +0200
Subject: [PATCH] IPAOpenSSLChainValidation: ignore default trust store

The check IPAOpenSSLChainValidation is ensuring that the
whole certification chain is present in IPA for httpd and RA
certificates.
It internally calls openssl verify -CAfile /etc/ipa/ca.crt.

With the latest version of ca-certificates package, openssl
verify also uses the default trust store. Since the
test wants to check the chain presence in /etc/ipa/ca.crt, add
the -no-CAfile -no-CApath and -no-CAstore options to ensure that
only /etc/ipa/ca.crt is used as trusted source.

Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/340

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
---
 src/ipahealthcheck/ipa/certs.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/ipahealthcheck/ipa/certs.py b/src/ipahealthcheck/ipa/certs.py
index b73d63c..0b7a995 100644
--- a/src/ipahealthcheck/ipa/certs.py
+++ b/src/ipahealthcheck/ipa/certs.py
@@ -1074,6 +1074,7 @@ def validate_openssl(self, file):
                 '-verbose',
                 '-show_chain',
                 '-CAfile', paths.IPA_CA_CRT,
+                '-no-CAfile', '-no-CApath', '-no-CAstore',
                 file]
 
         return ipautil.run(args, raiseonerr=False)