Bug 1161120

Summary: Allow client-authenticated SSL connection from managed hosts (using subscription management certificate)
Product: Red Hat Satellite Reporter: Martin Milata <mmilata>
Component: Foreman ProxyAssignee: Martin Milata <mmilata>
Status: CLOSED NOTABUG QA Contact: Tazim Kolhar <tkolhar>
Severity: medium Docs Contact:
Priority: unspecified    
Version: NightlyCC: bkearney, cgoern, cwelton, lzap, mmilata, tkolhar
Target Milestone: Unspecified   
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-12 12:26:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1100284, 1180051, 1180666    
Bug Blocks:    

Description Martin Milata 2014-11-06 12:33:19 UTC 
The ABRT plugin requires that managed hosts talk with the smart-proxy using SSL client authentication.

In upstream Foreman, smart-proxy uses Puppet certificates, and the managed hosts can connect to it and authenticate using their Puppet own certificate. In Sat6, however, a set of certificates dedicated to smart-proxy<->Foreman communication seems to be used, with it's own self-signed CA certificate. This means that the hosts cannot authenticate to smart-proxy as their certificates were signed by different CA (and furthermore they don't trust the smart-proxy's certificate because they don't know the CA in question).

Provided we want to avoid relying on Puppet certificates, one solution is to extend smart-proxy to use multiple CA certificates. Then we can use Puppet (or subscription management) certificates to communicate between smart-proxy and managed hosts.
Comment 1 RHEL Program Management 2014-11-06 12:52:58 UTC 
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Comment 4 Martin Milata 2014-11-07 09:02:07 UTC 
ABRT plugin requires it, so yes.
Comment 6 Lukas Zapletal 2014-11-10 14:10:07 UTC 
Martin, can you elaborate what do you expect exactly? I was under impression that the only required change for ABRT in Satellite 6 is to configure ABRT clients to use consumer certs instead of puppet.
Comment 7 Martin Milata 2014-11-10 14:36:00 UTC 
Right, the consumer certificate can be used instead of the puppet one. No change is required in ABRT as it can be configured to use any certificate in PEM format (although it would be nice if full path doesn't have to be used in the config).

One problem is that the subscription management CA is not among the system-wide CAs, so we need to add it before submitting report to capsule (unless we want to turn off SSL verification) by running "cp /etc/rhsm/ca/katello-server-ca.pem /etc/pki/ca-trust/source/anchors/ && update-ca-trust". Perhaps this could be done as part of the provisioning, together with configuring ABRT to use the right URL and certificates?

Other problem is that the subscription management certificate does not contain FQDN in its CN, but a UUID. The UUID can be mapped to the host on Foreman, however it seems the host does not always exist due to bug #1100284.
Comment 8 Martin Milata 2014-11-12 16:20:29 UTC 
Furthermore, smart-proxy->Foreman HTTP communication fails because Foreman does not accept the proxy's certificate. Upstream bug filed: http://projects.theforeman.org/issues/8372
Comment 9 Martin Milata 2015-01-09 16:30:56 UTC 
This bug can be closed once bug #1180051 and bug #1180666 are closed.
Comment 10 Martin Milata 2015-02-12 12:26:07 UTC 
Both bugs are ON_QA. Let me close this bug as it doesn't serve any useful purpose.