test: ensure /etc/pki/tls/cert.pem exists for 802 tests on EL10

https://issues.redhat.com/browse/RHEL-87511 The `system_ca_certs: true` flag in NM tells wpa_supplicant to load the legacy single‑file CA bundle (historically at /etc/pki/tls/cert.pem). Under CentOS Stream 9 (and RHEL 8), that path existed (either as a file or a symlink to the bundle), so the default “system” loading worked. On CentOS Stream 10 (RHEL 10), Red Hat switched to a hashed directory trust store and removed `/etc/pki/tls/cert.pem` to optimize OpenSSL performance as indicated in https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10-beta/html/10.0_beta_release_notes/removed-features and https://issues.redhat.com/browse/RHEL-50293. wpa_supplicant's "system_ca_certs" code still tries the old cert.pem path, sees "No such file or directory" and aborts the TLS setup: ``` OpenSSL: tls_connection_ca_cert - Failed to load root certificates - No such file or directory EAP‑TLS: Failed to initialize SSL. ``` Hence `system_ca_certs: true` silently fails on Stream 10 because there is no longer a single‑file CA bundle at that location. The new ansible-lint does not like variables in play names. Signed-off-by: Rich Megginson <rmeggins@redhat.com>
2026-01-23 02:15:17 +00:00 · 2025-07-29 11:24:19 -06:00 · 2025-07-29 11:24:19 -06:00 · b10a4956e6
commit b10a4956e6
parent c8e10ac8fe
2 changed files with 11 additions and 1 deletions
--- a/tests/playbooks/run_tasks.yml
+++ b/tests/playbooks/run_tasks.yml
@ -1,6 +1,6 @@
 # SPDX-License-Identifier: BSD-3-Clause
 ---
- name: Run the tasklist {{ task }}
+- name: Run the tasklist
  hosts: all
  tasks:
    - name: Include the task '{{ task }}'
--- a/tests/playbooks/tests_802_1x.yml
+++ b/tests/playbooks/tests_802_1x.yml
@ -68,6 +68,16 @@
        - name: Update ca trust
          command: update-ca-trust
          changed_when: false
+        - name: Workaround for EL10 CA trust location
+          shell:
+            cmd: |
+              set -euxo pipefail
+              exec 1>&2
+              if [ ! -f /etc/pki/tls/cert.pem ]; then
+                ln -s /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /etc/pki/tls/cert.pem
+              fi
+            executable: /bin/bash
+          changed_when: false
        - name: Import network role
          import_role:
            name: linux-system-roles.network