Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1329327

Summary: Candlepin can't support connecting to AMQP servers with alternate hostnames in the certificate
Product: Red Hat Satellite Reporter: Stephen Benjamin <stbenjam>
Component: CandlepinAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED CURRENTRELEASE QA Contact: Jitendra Yejare <jyejare>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.2.0CC: bbuckingham, bcourt, bkearney, cdonnell, cwelton, jyejare, stbenjam
Target Milestone: UnspecifiedKeywords: Reopened, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: candlepin-0.9.54.21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1330262 (view as bug list) Environment:
Last Closed: 2018-03-16 13:37:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1330262    
Bug Blocks: 1252573    

Description Stephen Benjamin 2016-04-21 15:46:14 UTC 
Description of problem:
We are moving qpid to only listen on localhost in Satellite because of BZ1252573. So we add 'localhost' as an alternate DNS name on our certificate.  

Candlepin fails with this error:

Caused by: org.apache.qpid.AMQException: Cannot connect to broker: SSL hostname verification failed. Expected : localhost Found in cert : centos7-bats.example.com


It's due to qpid's java library in 0.30 only verifying the CN:
  https://github.com/apache/qpid/blob/0.30/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java#L58-L62

It's fixed in later versions it seems:

https://github.com/apache/qpid-java/blob/trunk/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java#L141-L150



Version-Release number of selected component (if applicable):
candlepin-0.9.54.4-1.el7.noarch

How reproducible:
Always


Steps to Reproduce:
1. Create a certificate with alternate hostname and use it for qpid
2. Have candlepin configured to use alternate hostname


Actual results:
SSL verification fails

Expected results:
SSL verification succeeds
Comment 1 Barnaby Court 2016-06-01 17:59:34 UTC 
Fixed in version 0.9.54.6-1
Comment 3 Jitendra Yejare 2016-07-19 07:43:34 UTC 
Why the depends on bugs of this bug are still in Modified state and this bug on QE. May I verify this bug unless those 2 bugs get verified ?
Comment 4 Stephen Benjamin 2016-07-19 12:58:22 UTC 
There's nothing to verify here, it's a dev task to upgrade the version of the qpid library that ships with candlepin. The dependent bug needs that first.
Comment 5 Jitendra Yejare 2016-07-19 13:30:04 UTC 
Verified !

This bug has nothing to test from QE perspective as its not Customer facing.

So moving to verified state.
Comment 6 Jitendra Yejare 2016-07-19 13:33:02 UTC 
Feel free to reopen if required.
Comment 7 Bryan Kearney 2016-07-27 11:16:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1501
Comment 8 Stephen Benjamin 2016-10-13 14:18:45 UTC 
Hi,

This doesn't seem to be working for me, on this version of candlepin:

[root@qpid-localhost tomcat]# rpm -q candlepin
candlepin-0.9.54.6-1.el7.noarch


Tomcat still shows this error:

Caused by: java.lang.RuntimeException: javax.jms.JMSException: Error creating connection: SSL hostname verification failed. Expected : localhost Found in cert : qpid-localhost.example.com


The certificate shows alt names:

            X509v3 Subject Alternative Name: 
                DNS:qpid-localhost.example.com, DNS:localhost

Full certificate:

[root@qpid-localhost tomcat]# openssl s_client -connect localhost:5671 | openssl x509 -noout -text
depth=1 C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = qpid-localhost.example.com
verify return:1
depth=0 C = US, ST = North Carolina, O = pulp, OU = SomeOrgUnit, CN = qpid-localhost.example.com
verify return:1
140409204340640:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1259:SSL alert number 42
140409204340640:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 12201245780118169912 (0xa95388645d2d6938)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=North Carolina, L=Raleigh, O=Katello, OU=SomeOrgUnit, CN=qpid-localhost.example.com
        Validity
            Not Before: Oct  6 14:00:59 2016 GMT
            Not After : Oct  8 14:00:59 2036 GMT
        Subject: C=US, ST=North Carolina, O=pulp, OU=SomeOrgUnit, CN=qpid-localhost.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c8:2d:bb:51:c0:3f:af:77:69:5f:cd:3f:19:9b:
                    ef:7a:06:fb:3d:d9:df:4c:72:69:d5:1d:54:1a:d0:
                    48:fc:72:fe:96:ba:ee:57:f8:97:03:d7:39:d3:4b:
                    a8:e7:f4:92:10:64:73:48:b2:aa:19:ce:0f:df:75:
                    c3:d9:01:3c:28:a9:a3:cf:7c:81:c1:bd:3b:e3:69:
                    5c:6b:b1:b4:a3:e6:f5:b3:86:77:7b:eb:d4:5e:84:
                    1e:0a:9b:eb:e1:8f:7b:47:38:98:16:ad:15:f8:45:
                    f5:28:35:ba:52:ed:e6:06:03:84:ee:f4:ec:38:a4:
                    e0:dc:ca:1e:c1:30:f4:b3:8c:7b:c6:3d:c3:5e:d8:
                    55:6e:69:5e:0b:e5:b3:b0:cc:49:c5:e1:ad:84:0c:
                    a7:98:5f:de:90:11:41:88:86:be:cd:ae:bc:25:15:
                    e1:d4:2d:7e:a6:18:09:50:a0:31:24:49:80:51:e0:
                    f9:92:c4:65:9a:c6:d1:fe:57:ca:bf:bc:92:cb:89:
                    08:3b:e6:26:07:34:db:f9:d8:87:9d:13:b5:aa:e3:
                    34:71:c1:d2:00:73:1c:cb:27:ab:e9:02:4e:8e:0b:
                    ec:a6:84:8d:f6:b3:6a:39:12:cb:c1:fb:ef:98:d3:
                    96:1a:9e:c4:e1:12:89:df:42:6b:18:da:0e:7d:c5:
                    0d:c7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            Netscape Cert Type: 
                SSL Server
            Netscape Comment: 
                Katello SSL Tool Generated Certificate
            X509v3 Subject Key Identifier: 
                18:71:4B:69:4B:E8:F1:BB:48:A6:E1:51:D7:72:34:52:AF:37:D0:9C
            X509v3 Authority Key Identifier: 
                keyid:88:39:0F:2A:B8:B8:B0:6E:9B:66:1D:3C:A9:59:CA:0D:15:CB:9A:54
                DirName:/C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=qpid-localhost.example.com
                serial:A9:53:88:64:5D:2D:69:2F

            X509v3 Subject Alternative Name: 
                DNS:qpid-localhost.example.com, DNS:localhost
    Signature Algorithm: sha256WithRSAEncryption
         2a:53:88:c4:89:12:00:50:84:1f:78:c5:b8:45:d7:41:3c:8d:
         57:b5:22:60:0d:86:a7:49:50:76:c1:46:01:9c:5e:06:ea:50:
         7f:10:46:21:af:2c:3f:e9:01:80:38:66:e3:6b:3e:d6:93:33:
         77:ea:88:d5:0b:2e:b4:18:8a:7c:ce:14:c4:cf:0a:b2:59:5b:
         3b:46:08:98:65:74:4b:af:dc:75:13:c5:b4:29:f3:de:b5:3d:
         5c:3c:e5:75:55:4b:c6:3b:49:d8:ce:4c:b9:bd:1a:51:12:0d:
         11:ad:d8:09:06:f7:5f:4f:dc:86:42:97:0b:b3:01:31:4c:b3:
         a6:ff:4b:7f:0f:8f:8a:50:84:b9:8b:32:07:ef:9e:cd:1e:c9:
         fc:0c:30:6f:29:95:ed:15:ee:77:77:41:fa:e4:f7:eb:9c:41:
         0b:ab:75:28:d3:25:bf:b1:1f:b5:f0:0d:a9:d8:5a:9c:ac:9f:
         96:63:c3:e7:d2:75:c4:d4:6d:8d:2f:73:ce:f6:4c:cb:82:78:
         03:57:9c:4a:df:74:b0:91:d7:34:03:dc:c1:ed:44:a4:89:b2:
         c2:d9:8a:83:11:29:ed:e6:8e:a8:02:d1:80:b5:67:c6:c0:23:
         8d:f6:08:5d:de:31:4d:86:ee:ce:58:ef:f5:a3:82:27:ba:8b:
         31:9e:71:20
Comment 9 Barnaby Court 2016-10-13 21:29:40 UTC 
Stephen, if you are still seeing this issue then please re-open.
Comment 10 Filip Nguyen 2016-10-20 11:37:20 UTC 
Fixed in version 0.9.54.10-1
Comment 11 Craig Donnelly 2017-07-12 22:32:35 UTC 
Seems like this should already be closed out.
I have candlepin-0.9.54.21-1.el7.noarch on my 6.2.10 install.

That sound good to you Barnaby?
Comment 12 Barnaby Court 2017-07-26 09:32:26 UTC 
Craig, I would agree
Comment 13 Bryan Kearney 2018-03-16 13:37:55 UTC 
Per the comments above, I am closing this out as CURRENT RELEASE.