Project

General

Profile

Bug #32288

Server CA cert not verified for IPA token API call

Added by Lukas Zapletal 5 months ago. Updated 2 months ago.

Status:
Closed
Priority:
Normal
Category:
Security
Target version:
-
Difficulty:
Triaged:
Yes
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

Smart proxy ignores CA server certificate for a HTTPS call to IPA when fetching the token:

https://github.com/theforeman/smart-proxy/blob/88fbc8e67d665e2c3b19acb53b31ff30acf078b7/modules/realm_freeipa/provider.rb#L32-L38

There should be a setting to verify CA cert (enabled by default), an installer option and instructions in our documentation on how to enroll na CA cert into the OS cert store.

This issue was reported by Evgeni Golov, thank you.


Related issues

Related to Installer - Feature #32289: Option to toggle IPA API server CA verificationNew

Associated revisions

Revision 3bf19e08 (diff)
Added by Lukas Zapletal 5 months ago

Fixes #32288 - verify FreeIPA CA by default and new setting

History

#1 Updated by Lukas Zapletal 5 months ago

  • Related to Feature #32289: Option to toggle IPA API server CA verification added

#2 Updated by The Foreman Bot 5 months ago

  • Assignee set to Lukas Zapletal
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/smart-proxy/pull/787 added

#3 Updated by The Foreman Bot 5 months ago

  • Fixed in Releases 2.5.0 added

#4 Updated by Anonymous 5 months ago

  • Status changed from Ready For Testing to Closed

#5 Updated by Lukas Zapletal 5 months ago

  • Bugzilla link set to 1948006
  • Triaged changed from No to Yes

#6 Updated by The Foreman Bot 2 months ago

  • Pull request https://github.com/theforeman/smart-proxy/pull/792 added

#7 Updated by Ewoud Kohl van Wijngaarden 2 months ago

  • Pull request deleted (https://github.com/theforeman/smart-proxy/pull/792)

Also available in: Atom PDF