Goal

• As a system admin, I Want make ipa-certupdate to update expired /etc/ipa/ca.crt , so that I can contine use IPA services that use TLS.

Acceptance criteria

A list of verification conditions, successful functional tests, or expected outcomes in order to declare this story/task successfully completed.

• Verify ipa-certupdate fetch valid CA certificates even if /etc/ipa/ca.crt is expired
• Verify ipa-certupdate fetch valid CA certificates even if /etc/ipa/ca.crt is empty
• Verify ipa-certupdate can fetch the CA certificates securely (i.e. via Kerberos /SASL)

Note

https://issues.redhat.com/browse/RHEL-113778 along does not address the bad /etc/ipa/ca.crt issue

If system admin can ensure they can reach an genuine working IPA server, no man-in-the-middle. Then following script fetch the valid chain a from working IPA server:

echo | openssl s_client -connect ${IPA_SERVER_FQDN}:443 -verify 10 -showcerts >> /etc/ipa/ca.crt

Replace $IPA_SERVER_FQDN with FQDN of an actual working IPA server.

Then they should be able to use ipa-certupdate