Bug 1296301

Summary: Katello-installer and capsule-certs-generate sign certificates with sha1
Product: Red Hat Satellite Reporter: dzr0001
Component: SecurityAssignee: Katello Bug Bin <katello-bugs>
Status: CLOSED ERRATA QA Contact: Kedar Bidarkar <kbidarka>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.1.5CC: ahuchcha, bbuckingham, cwelton, dzr0001, inecas, kbidarka, nshaik, pmoravec, pmutha, swadeley
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: UnusedFlags: ahuchcha: needinfo? (kbidarka)
Hardware: All   
OS: All   
URL: http://projects.theforeman.org/issues/10777
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-27 09:01:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description dzr0001 2016-01-06 20:36:45 UTC 
Description of problem:

Generated certificates are signed with sha1 instead of sha256.

Version-Release number of selected component (if applicable):

6.1.5, likely all

How reproducible:

100%

Steps to Reproduce:

1. Install satellite or generate capsule certificates
2. Inspect certificates

Actual results:

Certificates are signed with a sha1 algorithm

Expected results:

Certificates should be signed with a sha2 algorithm

Additional info:

This appears to have been fixed in katello upstream https://github.com/Katello/katello-certs-tools/commit/b68836ab1b70d085691168dbc3748769c405e522
Comment 1 Bryan Kearney 2016-01-12 18:12:52 UTC 
Connecting redmine issue http://projects.theforeman.org/issues/10777 from this bug
Comment 2 Corey Welton 2016-01-12 18:13:48 UTC 
QE: ping ehelms or someone else on dev on what ssl commands to use
Comment 8 Kedar Bidarkar 2016-04-01 18:36:34 UTC 
[xyz@abc certs]# ls *.crt
abc.redhat.com-apache.crt                abc.redhat.com-qpid-broker.crt
abc.redhat.com-foreman-client.crt        abc.redhat.com-qpid-client-cert.crt
abc.redhat.com-foreman-proxy-client.crt  abc.redhat.com-qpid-router-client.crt
abc.redhat.com-foreman-proxy.crt         abc.redhat.com-qpid-router-server.crt
abc.redhat.com-puppet-client.crt


[xyz@abc certs]# for i in `ls *.crt`; do openssl x509 -text -noout -in $i | grep -i sha256WithRSAEncryption; done
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption


All the certs now use sha256 and not sha1 algorithm
Comment 9 Kedar Bidarkar 2016-04-01 18:36:56 UTC 
VERIFIED with sat62-snap6
Comment 10 Stephen Wadeley 2016-04-07 07:24:29 UTC 
*** Bug 1314418 has been marked as a duplicate of this bug. ***
Comment 16 errata-xmlrpc 2016-07-27 09:01:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1500