The location of the CA chain can be specified by setting ca_certfile in RPCClient::create_connection. This value is properly saved in the context but when the actual connection is made in SSLTransport the hardcoded value in the API is used instead of the value in the context.
This can be worked around by setting tls_ca_cert in api.bootstrap() but it shouldn't be necessary given the variable is already there.
Also of note if the CA file does not exist then only "Unhandled exception: [Errno 2] No such file or directory" is provided, not what file cannot be found.
PR https://github.com/freeipa/freeipa/pull/1047
The reason I need this is to be able to do IPA operations on a machine that is not enrolled as an IPA client. I create a temporary krb5.conf and bootstrap IPA In such a way that I don't need to be enrolled. To do this I need to fetch the CA chain and pass it into the rpcclient class. This can be done one of two ways:
Metadata Update from @pvoborni: - Issue priority set to: major - Issue set to the milestone: FreeIPA 4.5.4
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.5.4)
master:
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
ipa-4-6:
Log in to comment on this ticket.