Learn more about these different git repos.
Other Git URLs
The ipa-submit helper configures libcurl to use /etc/ipa/ca.crt for CA trust. But if the client is not IPA-enrolled via ipa-client-install (e.g. ipa-getkeytab was used to get host keytab), then this file doesn't necessarily exist. It leads to hard-to-diagnose request failures.
ipa-submit
/etc/ipa/ca.crt
ipa-client-install
ipa-getkeytab
ipa-submit should just use the system trust store. On an IPA server or client this will include the IPA CA. But it means that it will be easier to use the IPA helper on non-IPA-enrolled machines too.
What is the use case for this? Why would you expect to use an IPA master without being enrolled as an IPA client?
Granted, with system trust now working properly passing a specific CA is probably no longer necessary.
@rcritten use case outlined in blog post: https://frasertweedale.github.io/blog-redhat/posts/2019-09-23-direct-integration-ipa-certs.html. AD-enrolled system getting certs from IPA.
Metadata Update from @rcritten: - Issue assigned to rcritten
I think if we do an existence check on /etc/ipa/ca.crt that will satisfy the request.
PR https://pagure.io/certmonger/pull-request/194
https://pagure.io/certmonger/c/881a1af1948d529a77fafc4c41b976df79f13991
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.