IPAOpenSSLChainValidation: ignore default trust store

The check IPAOpenSSLChainValidation is ensuring that the whole certification chain is present in IPA for httpd and RA certificates. It internally calls openssl verify -CAfile /etc/ipa/ca.crt. With the latest version of ca-certificates package shipped in rawhide/Fedora 42, openssl verify also uses the default trust store. Since the test wants to check the chain presence in /etc/ipa/ca.crt, add the -no-CAfile -no-CApath and -no-CAstore options to ensure that only /etc/ipa/ca.crt is used as trusted source. Fixes: #340 Signed-off-by: Florence Blanc-Renaud <[email protected]>
freeipa · Oct 14, 2024 · 8af886c · 8af886c
1 parent e32c890
commit 8af886c
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/src/ipahealthcheck/ipa/certs.py b/src/ipahealthcheck/ipa/certs.py
@@ -1074,6 +1074,7 @@ def validate_openssl(self, file):
                 '-verbose',
                 '-show_chain',
                 '-CAfile', paths.IPA_CA_CRT,
+                '-no-CAfile', '-no-CApath', '-no-CAstore',
                 file]
 
         return ipautil.run(args, raiseonerr=False)