Currently ipa-client-install expects the underlying OS to use NSS cert DB under /etc/pki/nssdb. However, on some platforms like Debian/Ubuntu this is not the case.
For example, to make IPA's ca.crt trusted for ipa-join et al on Ubuntu, IPA ca.crt must be placed under /usr/share/ca-certificates, added to /etc/ca-certificates.conf, and finally update-ca-certificates needs to be run.
It should be possible to make certificate handling platform specific in platform code.
IPA requires NSS to work.
Updating the OpenSSL CA bundles is possible but it has nothing to do with updating the default NSS database.
Fedora/RHEL links more components against NSS than many other distributions. While testing on Ubuntu Oneiric ipa-join failed because libcurl failed to execute the HTTP POST transaction due to failed verification on the certificate unless the IPA ca.crt was manually added to the OpenSSL CA bundle.
It should be also noted that /etc/pki/nssdb is now hard-coded in ipa-client-install and some platforms like Ubuntu do not have that directory even with NSS / certutil installed.
Metadata Update from @myllynen:
- Issue assigned to abbra
- Issue set to the milestone: Tickets Deferred
Support for debian-specific CA paths and updating global CA trust was added in e04b75c
The NSS database dir is platform independent as well but it is currently not overridden. I believe at least the Ubuntu packaging creates this directory.
By default clients no longer obtain certificates automatically.
Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
to comment on this ticket.