Bug 1609631

Summary: Capsule doesn't send certificate chain to the client when using custom SSL certificates
Product: Red Hat Satellite Reporter: Hao Chang Yu <hyu>
Component: CertificatesAssignee: Eric Helms <ehelms>
Status: CLOSED WONTFIX QA Contact: Stephen Wadeley <swadeley>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.3.2Keywords: Triaged
Target Milestone: Unspecified   
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-09-03 18:58:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Hao Chang Yu 2018-07-30 04:25:59 UTC 
Description of problem:
Missing "SSLCertificateChainFile" in "/etc/httpd/conf.d/28-katello-reverse-proxy.conf" for Apache reverse proxy listening on port 8443.
Missing "SSLExtraChainCert" in "/usr/share/foreman-proxy/lib/launcher.rb" for foreman-proxy listening on port 9090

How reproducible:

# openssl s_client -connect capsule.example.com:8443
CONNECTED(00000003)
depth=2 C = IN, ST = Something L = Somewhere O = My Org, CN = My Root Certificate Authority
verify return:1
depth=1 C = IN, ST = Something L = Somewhere O = Department A, CN = My Intermediate Certificate Authority, emailAddress = example
verify return:1
depth=0 C = IN, ST = Something L = Somewhere O = Capsule, OU = Making Capsule, emailAddress = example, CN = capsule.example.com
verify return:1
---
Certificate chain
 0 s:/C=IN/ST=Something/L=Somewhere/O=Capsule/OU=Making Capsule/emailAddress=example/CN=capsule.example.com
   i:/C=IN/ST=Something/L=Somewhere/O=Department A/CN=My Intermediate Certificate Authority/emailAddress=example
---


There is only depth 0 in the "Certificate chain" section. Expected 3 depths that including the Intermediate CA and the Root CA. Same issue happen in port 9090.
Comment 2 Bryan Kearney 2019-08-05 12:22:40 UTC 
The Satellite Team is attempting to provide an accurate backlog of bugzilla requests which we feel will be resolved in the next few releases. We do not believe this bugzilla will meet that criteria, and have plans to close it out in 1 month. This is not a reflection on the validity of the request, but a reflection of the many priorities for the product. If you have any concerns about this, feel free to contact Red Hat Technical Support or your account team. If we do not hear from you, we will close this bug out. Thank you.
Comment 3 Bryan Kearney 2019-09-03 18:58:37 UTC 
Thank you for your interest in Satellite 6. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this, please do not reopen. Instead, feel free to contact Red Hat Technical Support. Thank you.