IPAOpenSSLChainValidation: ignore default trust store

[flo-renaud]

The check IPAOpenSSLChainValidation is ensuring that the whole certification chain is present in IPA for httpd and RA certificates.
It internally calls openssl verify -CAfile /etc/ipa/ca.crt.

With the latest version of ca-certificates package, openssl verify also uses the default trust store. Since the test wants to check the chain presence in /etc/ipa/ca.crt, add the -no-CAfile -no-CApath and -no-CAstore options to ensure that only /etc/ipa/ca.crt is used as trusted source.

Fixes: #340

[rcritten]

I believe that this is due to ca-certificates adding directory hash links to /etc/pki/tls/certs and dropping the PEM bundle file. This was introduced in ca-certificates-2024.2.69_v8.0.303-5. The bundle will be restored (it is in distgit now but isn't built/released yet).

This code worked previously because a specific CAfile was specified so that the global trust wasn't loaded, only the provided file. With these hash directories in place the global trust is loaded via those.

So I guess my ask is that for historical purposes you mention at least that this affects Fedora 42/rawhide.

[flo-renaud]

Updated the commit message:

IPAOpenSSLChainValidation: ignore default trust store

The check IPAOpenSSLChainValidation is ensuring that the
whole certification chain is present in IPA for httpd and RA
certificates.
It internally calls openssl verify -CAfile /etc/ipa/ca.crt.

With the latest version of ca-certificates package shipped in
rawhide/Fedora 42, openssl verify also uses the default trust
store. Since the test wants to check the chain presence in
/etc/ipa/ca.crt, add the -no-CAfile -no-CApath and -no-CAstore
options to ensure that only /etc/ipa/ca.crt is used as trusted
source.

[rcritten]

ack, thanks.