Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

Sync from "Extern...

XML

Word

Printable

Type: Story
Resolution: Unresolved
Priority: Major
Fix Version/s: rhel-10.2
Affects Version/s: None
Component/s: ipa
Labels:
- fixed_upstream
- rn-yml

Fixed in Build:
ipa-4.13.1-1.el10
Severity:
Low
Epic Link:
IDM-2839

AssignedTeam:
rhel-idm-ipa
Sub-System Group:

ssg_idm

Dev Target Milestone:
22
Internal Target Milestone:
24
Story Points:
0
ACKs Check:

QE ack, Dev ack
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
None

Git Pull Request:
https://github.com/freeipa/freeipa/pull/7903
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/154934
Test Coverage:

Automated

Release Note Type:
Enhancement
Release Note Text:

Hide
Feature, enhancement: the tool ipa-certupdate now accepts an additional option --force-server SERVER.FQDN.
Reason: A client connects to its default server (specified in /etc/ipa/ca.crt) when it retrieves the Certificate Authorities. If this default server is down or unreachable, the command ipa-certupdate fails.
Result: The client can now connect to the server defined in the option --force-server SERVER.FQDN instead of using the default server when it retrieves the Certificate Authorities using ipa-certupdate.

Show
Feature, enhancement: the tool ipa-certupdate now accepts an additional option --force-server SERVER.FQDN. Reason: A client connects to its default server (specified in /etc/ipa/ca.crt) when it retrieves the Certificate Authorities. If this default server is down or unreachable, the command ipa-certupdate fails. Result: The client can now connect to the server defined in the option --force-server SERVER.FQDN instead of using the default server when it retrieves the Certificate Authorities using ipa-certupdate.
Release Note Status:
Proposed
ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

As a system administrator, I would like a command to retrieve CA certificates from a working IPA server, so I don't need to manually installing CA certificates.

So far, ipa-certupdate queries the CA using https like:

 # ipa-certupdate -v
...
ipalib.rpc: DEBUG: trying https://server0.example.com/ipa/json
ipalib.rpc: DEBUG: New HTTP connection (server0.example.com)
...
ipalib.rpc: DEBUG: [try 1]: Forwarding 'ca_find/1' to json server 'https://server0.example.com/ipa/session/json'

However, when local CA certificates expired, the validation failed

Connection to https://server0.example.com/ipa/json failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
Connection to https://server1.example.com/ipa/json failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)

Thus we need a command or ipa-certupdate option to retrieve the CA certificates similar to

kinit -k
ldapsearch -Y gssapi -H ldap://server0.example.com -b 'cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com'

is depended on by

RHEL-149514 ipa-certupdate should handle the case when certificates /etc/ipa/ca.crt are expired or missing

Closed

links to

freeipa pagure 9839

RHSA-2025:154934 ipa security update

Assignee:: Florence Renaud

Reporter:: Ding Yi Chen

Developer:: Florence Renaud

QA Contact:: PRANAV THUBE

Doc Contact:: Filip Hanzelka

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Created:: 2025/09/02 12:27 PM

Updated:: 2026/02/13 8:18 AM

Dev Target end:: 2026/01/26

Target end:: 2026/02/09

Next Planned Release Date:: 2026/05/12

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates