Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-99999

IPAOpenSSLChainValidation changed behavior with ca-certificates update

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • ipa-healthcheck-0.16-11.el10
    • No
    • Moderate
    • 1
    • rhel-idm-pki
    • 2
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • 2025-IDM-PKI-S2
    • Release Note Not Required
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      Issue observed when test started failing with error in RHEL-10.1:

      def test_opensslchainvalidation_ipa_ca_cert(self, replace_ipa_chain):
      """
      Test for IPAOpenSSLChainValidation when /etc/ipa/ca.crt
      contains IPA CA cert but not the external CA
      """
      version = tasks.get_healthcheck_version(self.master)
      error_msg = "Certificate validation for

      {key}

      failed:

      {reason}

      "
      error_reason = (
      "CN = Certificate Authority\nerror 2 at 1 depth "
      "lookup: unable to get issuer certificate\n"
      )
      returncode, data = run_healthcheck(
      self.master,
      "ipahealthcheck.ipa.certs",
      "IPAOpenSSLChainValidation",
      )
      > assert returncode == 1
      E assert 0 == 1

      After investigation the error is likely related to this issue: https://github.com/freeipa/freeipa-healthcheck/issues/340

      which was fixed with ipa-healthcheck 0.18 with this commit: https://github.com/rcritten/freeipa-healthcheck/commit/8af886c515c2e3bc8a2233202c275f6ca9c87b3b

      On RHEL 10.1 we have ipa-healthcheck 0.16 and the patch was not backported.

              rhn-engineering-rcrit Rob Crittenden
              rhn-support-amore Anuja More
              Rob Crittenden Rob Crittenden
              Sudhir Menon Sudhir Menon
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: