Bug 1419842
Summary: | katello-certs-check doesn't check expiration date | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Marcel Gazdík <mgazdik> |
Component: | Certificates | Assignee: | Craig Donnelly <cdonnell> |
Status: | CLOSED ERRATA | QA Contact: | Evgeni Golov <egolov> |
Severity: | low | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.2.6 | CC: | cdonnell, chrobert, egolov, jcallaha, stbenjam |
Target Milestone: | Unspecified | ||
Target Release: | Unused | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-02-21 16:49:54 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Marcel Gazdík
2017-02-07 08:46:54 UTC
Filed a PR for this here: https://github.com/Katello/katello-installer/pull/488 Added a check for the Certificate and CA separately since they can be created at different times. Valid testing is to use an expired CA + Cert (Or one or the other expired) as well as using a valid CA + Cert. Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/18849 has been resolved. Created a new CA: % openssl genrsa -out rootCA.key 2048 % openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem Created a new key and csr: % openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr Created a valid signature: % openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.valid.crt -days 100 -sha256 Signature ok subject=C = XX, L = Default City, O = Default Company Ltd, CN = sat63-qa-rhel7-puppet4.kangae.example.com Getting CA Private Key Created an expired signature: % faketime '1 year ago' openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.invalid.crt -days 100 -sha256 Signature ok subject=C = XX, L = Default City, O = Default Company Ltd, CN = sat63-qa-rhel7-puppet4.kangae.example.com Getting CA Private Key Valid certificate validates just fine: % katello-certs-check -c server.valid.crt -k server.key -r server.csr -b ca/rootCA.pem Checking expiration of certificate: [OK] Checking expiration of CA bundle: [OK] Validating the certificate subject= /C=XX/L=Default City/O=Default Company Ltd/CN=sat63-qa-rhel7-puppet4.kangae.example.com Checking to see if the private key matches the certificate: [OK] Checking ca bundle against the cert file: [OK] Checking for non ascii characters[OK] Validation succeeded. Expired certificate raises an error: % katello-certs-check -c server.invalid.crt -k server.key -r server.csr -b ca/rootCA.pem Checking expiration of certificate: [FAIL] The certificate "/root/1419842/server.invalid.crt" already expired on: Nov 17 07:44:36 2016 Checking expiration of CA bundle: [OK] Validating the certificate subject= /C=XX/L=Default City/O=Default Company Ltd/CN=sat63-qa-rhel7-puppet4.kangae.example.com Checking to see if the private key matches the certificate: [OK] Checking ca bundle against the cert file: [OK] Checking for non ascii characters[OK] For comparison, the old (6.2) version would return OK on the same expired cert: % katello-certs-check.62 -c server.invalid.crt -k server.key -r server.csr -b ca/rootCA.pem Validating the certificate subject= /C=XX/L=Default City/O=Default Company Ltd/CN=sat63-qa-rhel7-puppet4.kangae.example.com Check private key matches the certificate: [OK] Check ca bundle verifies the cert file: [OK] Validation succeeded. → VERIFIED Version Tested: Satellite-6.3 Snap 10 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:0336 |