Bug 1419842

Summary: katello-certs-check doesn't check expiration date
Product: Red Hat Satellite Reporter: Marcel Gazdík <mgazdik>
Component: CertificatesAssignee: Craig Donnelly <cdonnell>
Status: CLOSED ERRATA QA Contact: Evgeni Golov <egolov>
Severity: low Docs Contact:
Priority: unspecified    
Version: 6.2.6CC: cdonnell, chrobert, egolov, jcallaha, stbenjam
Target Milestone: Unspecified   
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-21 16:49:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marcel Gazdík 2017-02-07 08:46:54 UTC 
Description of problem:
  katello-certs-check should check if the certificates are not expired. Currently when the certificate is expired, the utility marks them as valid, however using such certificates leads to issues with communication between internal components.

Version-Release number of selected component (if applicable):
6.2

How reproducible:
Use expired certificate and run the katello-certs-check utility on them


Actual results:
  Check will be successful 

Expected results:
  Information about invalid certificates will be delivered to the user.
Comment 2 Craig Donnelly 2017-03-09 03:44:44 UTC 
Filed a PR for this here: https://github.com/Katello/katello-installer/pull/488
Added a check for the Certificate and CA separately since they can be created at different times.

Valid testing is to use an expired CA + Cert (Or one or the other expired) as well as using a valid CA + Cert.
Comment 4 Satellite Program 2017-03-11 17:03:05 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/18849 has been resolved.
Comment 5 Evgeni Golov 2017-08-09 08:06:55 UTC 
Created a new CA:
% openssl genrsa -out rootCA.key 2048
% openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

Created a new key and csr:
% openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Created a valid signature:
% openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.valid.crt -days 100 -sha256
Signature ok
subject=C = XX, L = Default City, O = Default Company Ltd, CN = sat63-qa-rhel7-puppet4.kangae.example.com
Getting CA Private Key

Created an expired signature:
% faketime '1 year ago' openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.invalid.crt -days 100 -sha256
Signature ok
subject=C = XX, L = Default City, O = Default Company Ltd, CN = sat63-qa-rhel7-puppet4.kangae.example.com
Getting CA Private Key

Valid certificate validates just fine:
% katello-certs-check -c server.valid.crt -k server.key -r server.csr  -b ca/rootCA.pem
Checking expiration of certificate: [OK]
Checking expiration of CA bundle: [OK]
Validating the certificate subject= /C=XX/L=Default City/O=Default Company Ltd/CN=sat63-qa-rhel7-puppet4.kangae.example.com
Checking to see if the private key matches the certificate: [OK]
Checking ca bundle against the cert file: [OK]
Checking for non ascii characters[OK]

Validation succeeded.

Expired certificate raises an error:
% katello-certs-check -c server.invalid.crt -k server.key -r server.csr  -b ca/rootCA.pem
Checking expiration of certificate: [FAIL]
The certificate "/root/1419842/server.invalid.crt" already expired on: Nov 17 07:44:36 2016
Checking expiration of CA bundle: [OK]
Validating the certificate subject= /C=XX/L=Default City/O=Default Company Ltd/CN=sat63-qa-rhel7-puppet4.kangae.example.com
Checking to see if the private key matches the certificate: [OK]
Checking ca bundle against the cert file: [OK]
Checking for non ascii characters[OK]

For comparison, the old (6.2) version would return OK on the same expired cert:
% katello-certs-check.62 -c server.invalid.crt -k server.key -r server.csr  -b ca/rootCA.pem
Validating the certificate subject= /C=XX/L=Default City/O=Default Company Ltd/CN=sat63-qa-rhel7-puppet4.kangae.example.com
Check private key matches the certificate: [OK]
Check ca bundle verifies the cert file: [OK]

Validation succeeded.

→ VERIFIED
Comment 6 Evgeni Golov 2017-08-09 09:24:56 UTC 
Version Tested:
Satellite-6.3 Snap 10
Comment 7 Satellite Program 2018-02-21 16:49:54 UTC 
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.

For information on the advisory, and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0336