Add /etc/pki/tls/certs/ directory to file checker

[rcritten]

In order to load the CA bundle /etc/pki/tls/certs needs to be world-readable. That or the group needs to change if someone wants to get really restrictive but that's likely to cause further unforseen issues elsewhere. This directory contains only public information.

Restrictive permissions will cause pki-tomcatd to fail to start.

Fixes: #358

Summary by Sourcery

Add the OpenSSL certs directory to the permission checks to ensure /etc/pki/tls/certs is accessible, fixing related startup errors

Bug Fixes:

• Prevent pki-tomcatd startup failures due to restrictive permissions on the OpenSSL certs directory

Enhancements:

• Add /etc/pki/tls/certs to the file permission checker with 0755 permissions

[sourcery-ai]

Hey @rcritten - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[flo-renaud]

Hi @rcritten

thanks for the patch, LGTM. Tested on a f42 machine:

# chmod 754 /etc/pki/tls/certs/
# ipa-healthcheck --source ipahealthcheck.ipa.files --check IPAFileCheck
[
  {
    "source": "ipahealthcheck.ipa.files",
    "check": "IPAFileCheck",
    "result": "ERROR",
    "uuid": "e2f15cac-127f-452d-9cb0-ac63803949d9",
    "when": "20250702144613Z",
    "duration": "0.010254",
    "kw": {
      "key": "_etc_pki_tls_certs_mode",
      "path": "/etc/pki/tls/certs",
      "type": "mode",
      "expected": "0755",
      "got": "0754",
      "msg": "Permissions of /etc/pki/tls/certs are too restrictive: 0754 and should be 0755"
    }
  }
]
# chmod 755 /etc/pki/tls/certs/
# ipa-healthcheck --source ipahealthcheck.ipa.files --check IPAFileCheck
[]