#132 ipa-submit should use system trust
Closed: fixed 2 years ago by rcritten. Opened 4 years ago by ftweedal.

The ipa-submit helper configures libcurl to use /etc/ipa/ca.crt for CA trust. But if the client is not IPA-enrolled via ipa-client-install (e.g. ipa-getkeytab was used to get host keytab), then this file doesn't necessarily exist. It leads to hard-to-diagnose request failures.

ipa-submit should just use the system trust store. On an IPA server or client this will include the IPA CA. But it means that it will be easier to use the IPA helper on non-IPA-enrolled machines too.


What is the use case for this? Why would you expect to use an IPA master without being enrolled as an IPA client?

Granted, with system trust now working properly passing a specific CA is probably no longer necessary.

Metadata Update from @rcritten:
- Issue assigned to rcritten

3 years ago

I think if we do an existence check on /etc/ipa/ca.crt that will satisfy the request.

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata