Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-88782

NetworkManager incorrectly hard-codes the CA bundle path to /etc/pki/tls/cert.pem, which no longer exists on RHEL 10, causing trust store lookup failures

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • rhel-10.1
    • NetworkManager
    • None
    • No
    • None
    • rhel-net-mgmt
    • ssg_networking
    • 3
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Hide

      Definition of Done:

      Please mark each item below with ( / ) if completed or ( x ) if incomplete:

      ( ) The acceptance criteria defined below are met.

      Given a system administrator configuring secure VPN and 802.1x connections on a RHEL10 host,

      When the connection is activated and requires access to trusted certificate authorities,

      Then NetworkManager must read the CA certificates from the new RHEL10-compliant trust store path (/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem), making sure that the connection is successfully validated if the bundle contains the correct root CAs. On RHEL9 and earlier, NetworkManager must continue using the legacy path (/etc/pki/tls/cert.pem) to preserve compatibility.

      ( ) Integration test case is available upstream.

      ( ) Preliminary testing is done.

       

      Show
      Definition of Done: Please mark each item below with ( / ) if completed or ( x ) if incomplete: ( ) The acceptance criteria defined below are met. Given a system administrator configuring secure VPN and 802.1x connections on a RHEL10 host, When the connection is activated and requires access to trusted certificate authorities, Then NetworkManager must read the CA certificates from the new RHEL10-compliant trust store path (/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem), making sure that the connection is successfully validated if the bundle contains the correct root CAs. On RHEL9 and earlier, NetworkManager must continue using the legacy path (/etc/pki/tls/cert.pem) to preserve compatibility. ( ) Integration test case is available upstream. ( ) Preliminary testing is done.  
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      The NetworkManager.spec file for RHEL/CentOS Stream 10 hard-codes the TLS CA bundle path to `/etc/pki/tls/cert.pem`, but this file no longer exists starting from RHEL/CentOS Stream 10 (as indicated in https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10-beta/html/10.0_beta_release_notes/removed-features and https://issues.redhat.com/browse/RHEL-50293 ).

      We should update the NetworkManager.spec file:

      On CentOS Stream 10 / RHEL 10 and newer, change the CA trust store path to `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem`.
      On older releases (RHEL/CentOS 9 and below), keep using `/etc/pki/tls/cert.pem`

      Reason: To align with the system-wide dropping of `/etc/pki/tls/cert.pem` and use the new hashed directory structure for trusted CAs.

              nm-team Network Management Team
              liangwen12year Wen Liang
              Network Management Team Network Management Team
              Vladimir Benes Vladimir Benes
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: