Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IPAOpenSSLChainValidation: ignore default trust store #341

Merged
merged 1 commit into from
Oct 14, 2024

Conversation

flo-renaud
Copy link
Contributor

The check IPAOpenSSLChainValidation is ensuring that the whole certification chain is present in IPA for httpd and RA certificates.
It internally calls openssl verify -CAfile /etc/ipa/ca.crt.

With the latest version of ca-certificates package, openssl verify also uses the default trust store. Since the test wants to check the chain presence in /etc/ipa/ca.crt, add the -no-CAfile -no-CApath and -no-CAstore options to ensure that only /etc/ipa/ca.crt is used as trusted source.

Fixes: #340

@rcritten
Copy link
Collaborator

rcritten commented Oct 9, 2024

I believe that this is due to ca-certificates adding directory hash links to /etc/pki/tls/certs and dropping the PEM bundle file. This was introduced in ca-certificates-2024.2.69_v8.0.303-5. The bundle will be restored (it is in distgit now but isn't built/released yet).

This code worked previously because a specific CAfile was specified so that the global trust wasn't loaded, only the provided file. With these hash directories in place the global trust is loaded via those.

So I guess my ask is that for historical purposes you mention at least that this affects Fedora 42/rawhide.

The check IPAOpenSSLChainValidation is ensuring that the
whole certification chain is present in IPA for httpd and RA
certificates.
It internally calls openssl verify -CAfile /etc/ipa/ca.crt.

With the latest version of ca-certificates package shipped in
rawhide/Fedora 42, openssl verify also uses the default trust
store. Since the test wants to check the chain presence in
/etc/ipa/ca.crt, add the -no-CAfile -no-CApath and -no-CAstore
options to ensure that only /etc/ipa/ca.crt is used as trusted
source.

Fixes: freeipa#340

Signed-off-by: Florence Blanc-Renaud <[email protected]>
@flo-renaud
Copy link
Contributor Author

Updated the commit message:

IPAOpenSSLChainValidation: ignore default trust store

The check IPAOpenSSLChainValidation is ensuring that the
whole certification chain is present in IPA for httpd and RA
certificates.
It internally calls openssl verify -CAfile /etc/ipa/ca.crt.

With the latest version of ca-certificates package shipped in
rawhide/Fedora 42, openssl verify also uses the default trust
store. Since the test wants to check the chain presence in
/etc/ipa/ca.crt, add the -no-CAfile -no-CApath and -no-CAstore
options to ensure that only /etc/ipa/ca.crt is used as trusted
source.

@rcritten
Copy link
Collaborator

ack, thanks.

@rcritten rcritten merged commit 8af886c into freeipa:master Oct 14, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

IPAOpenSSLChainValidation changed behavior with ca-certificates update
2 participants