What were you trying to do that didn't work?

When verifying the revocation notification webhook server certificate, keylime does not include the certificates provided via the 'trusted_server_ca' configuration option. Only the system installed CA certificates are used

Please provide the package NVR for which bug is seen:

keylime-7.3.0-13.el9_3.src.rpm

How reproducible:

always

Steps to reproduce

1. Setup a webhook server to receive revocation notifications using TLS. For example:

$ openssl s_server -cert cert.crt -key private.pem -port 8080 &

1. Add the revocation notification webhook server CA certificate to the 'trusted_server_ca' list in the verifier configuration (by modifying /etc/keylime/verifier.conf or adding a snippet in /etc/keylime/verifier.conf.d/
2. Configure the verifier to send revocation notifications to the webhook by setting the following options in the configuration

enabled_revocation_notifications = ['agent', 'webhook']

webhook_url = "localhost:8080"

1. Start the Keylime verifier, Keylime registrar, and Keylime agent. Enroll the agent to the verifier using the Keylime tenant. Make the agent to fail attestation by running a script not included in the runtime policy

Expected results

The verifier successfully establish a TLS connection to the revocation notification webhook server by verifying the presented certificate with the CA certificate configured via the 'trusted_server_ca' option. The revocation notification webhook server receives the revocation notification normally.

Actual results

The verifier fails to establish a TLS connection to the revocation notification webhook server due to certificate verification failure. The webhook server CA certificate added to the 'trusted_server_ca' option in the configuration is ignored.