On to, 10 loka 2019, Kevin Vasko via FreeIPA-users wrote:
I actually manually checked the system wide crt files on each
distribution I'm using, Ubuntu, CentOS and RHEL6/7. In all cases my
/etc/ipa/ca.crt did appear to be in the each of their respective *.crt
files. That indicates to me that there isn't any problem with the
ipa-install-client on any of the distributions like I originally
thought. Rob it does look like Ubuntu is adding it to the
/etc/ssl/certs/ca-certificates.crt with the ipa-install-client as I
didn't do it manually on any of my systems, so it does appear they are
doing it somehow.

These are the locations I checked.

"/etc/ssl/certs/ca-certificates.crt",                //
Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt",                  // Fedora/RHEL 6
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7

What appears to be the problem is (unless I'm mistaken) Firefox nor
Chrome are using the system wide cert locations apparently and only
using their own cert store. At least according to this article:
https://thomas-leister.de/en/how-to-import-ca-root-certificate/
On RHEL/Fedora/CentOS we import system wide cert store automatically to
NSS databases through p11-kit.

On Ubuntu/Debian/Gentoo you need to do that manually.


It kind of is backed up by this article on the Mozilla page.
https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox

So based off of this information I'm going to have to manually add the
root certificates to each Chrome and Firefox cert store on the client
machines, which is a bummer.

Sorry for the noise.

On Thu, Oct 10, 2019 at 8:40 AM Rob Crittenden <rcrit...@redhat.com> wrote:

Kevin Vasko via FreeIPA-users wrote:
> Kees Bakker,
>
> If it is, I'm certainly not seeing it done on Ubuntu 16.04 or Ubuntu
> 18.04 and based on Rob's comment it might not be done if I'm
> understanding him correctly.

Assuming I'm reading the code right it is not being executed on
Debian/Ubuntu. At least not in the source. It's possible it is patched
into the package in the distribution.

rob

>
> -Kevin
>
> On Thu, Oct 10, 2019 at 8:19 AM Kees Bakker via FreeIPA-users
> <freeipa-users@lists.fedorahosted.org> wrote:
>>
>> On 10-10-19 14:35, Rob Crittenden via FreeIPA-users wrote
>>>
>>> Kevin Vasko via FreeIPA-users wrote:
>>>> How would I validate that certs are getting added properly on a CentOS 
machine system wide store?
>>>>
>>>>   I’m going to test it today to find out if this is a problem unique to 
Ubuntu/CentOS.
>>> On Fedora the chain is put into
>>> /etc/pki/ca-trust/source/anchors/ipa-ca.crt and update-ca-trust is executed.
>>>
>>> There is no Debian/Ubuntu equivalent in the upstream source (it's
>>> possible it is done in packaging). You could try something like:
>>>
>>> cp /etc/ipa/ca.crt /usr/local/share/ca-certificates/ipa-ca.crt
>>> update-ca-certificates
>> This is already done by ipa-client-install
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to