Bug 1654326
| Summary: | katello-certs-check gives the wrong output if using certificate with wildcard. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Suraj Patil <supatil> | ||||
| Component: | Installation | Assignee: | Chris Roberts <chrobert> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Stephen Wadeley <swadeley> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 6.4 | CC: | bkearney, chrobert, ehelms, mmccune, pcreech, sadas, spetrosi, swadeley | ||||
| Target Milestone: | 6.7.0 | Keywords: | Triaged | ||||
| Target Release: | Unused | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | foreman-installer-1.24.1.19-1 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2020-04-14 13:39:19 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/25564 has been resolved. See also Bug 1758181 - katello-certs-check does not support wildcard certificates Bug 1658360 - katello-certs-check is not showing satellite-installer command if wildcard SSL certificate is used. Upstream bug assigned to supatil Created attachment 1669054 [details]
cert-bundle
Hello Testing with latest snap [root@sat-6-7-qa-rhel7 ~]# rpm -q satellite satellite-6.7.0-6.el7sat.noarch Fixed in version says: foreman-installer-1.24.1.19-1 I have: [root@sat-6-7-qa-rhel7 ~]# rpm -q foreman-installer foreman-installer-1.24.1.20-1.el7sat.noarch Create CA -------------- [root@sat-6-7-qa-rhel7 ~]# git clone https://github.com/iNecas/ownca.git Cloning into 'ownca'... [root@sat-6-7-qa-rhel7 ~]# cd ownca/ [root@sat-6-7-qa-rhel7 ownca]# ./generate-ca.sh Generating a 2048 bit RSA private key .................................................................+++ ..........................................+++ writing new private key to 'private/cakey.crt' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Organization Name (company) [My Company]: Organizational Unit Name (department, division) []: Email Address []: Locality Name (city, district) [My Town]: State or Province Name (full name) [State or Providence]: Country Name (2 letter code) [US]: Common Name (hostname, IP, or your name) []: [root@sat-6-7-qa-rhel7 ownca]# Generate the certificate with wildcard in host name portion of FQDN --------------------------------------------------------------------------- [root@sat-6-7-qa-rhel7 ownca]# ./generate-crt.sh "*.example.com" Generating a 2048 bit RSA private key ..+++ ...............+++ writing new private key to './*.example.com/*.example.com.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Organization Name (company) [My Company]:Organizational Unit Name (department, division) []:Email Address []:Locality Name (city, district) [My Town]:State or Province Name (full name) [State or Providence]:Country Name (2 letter code) [US]:Common Name (hostname, IP, or your name) []:Using configuration from ./openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows organizationName :PRINTABLE:'My Company' localityName :PRINTABLE:'My Town' stateOrProvinceName :PRINTABLE:'State or Providence' countryName :PRINTABLE:'US' commonName :T61STRING:'*.example.com' Certificate is to be certified until Mar 16 13:47:38 2021 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@sat-6-7-qa-rhel7 ownca]# Copy CA cert to server certs directory ---------------------------------------- [root@sat-6-7-qa-rhel7 ownca]# cp cacert.crt \*.example.com/ [root@sat-6-7-qa-rhel7 ownca]# cd \*.example.com/ [root@sat-6-7-qa-rhel7 *.example.com]# ls cacert.crt *.example.com.crt *.example.com.crt.req *.example.com.key [root@sat-6-7-qa-rhel7 *.example.com]# Check that the wildcard name is in the cert: ----------------------------------------------- [root@sat-6-7-qa-rhel7 *.example.com]# openssl x509 -text -in \*.example.com.crt -noout | grep -B1 DNS X509v3 Subject Alternative Name: DNS:*.example.com Check the certificate with katello-certs-check ----------------------------------------------- [root@sat-6-7-qa-rhel7 *.example.com]# katello-certs-check -c *.example.com.crt -k *.example.com.key -b cacert.crt Checking server certificate encoding: [OK] Checking expiration of certificate: [OK] Checking expiration of CA bundle: [OK] Checking if server certificate has CA:TRUE flag [OK] Checking for private key passphrase: [OK] Checking to see if the private key matches the certificate: [OK] Checking CA bundle against the certificate file: [OK] Checking CA bundle size: [OK] Checking Subject Alt Name on certificate [OK] Checking Key Usage extension on certificate for Key Encipherment [OK] Validation succeeded To install the Red Hat Satellite Server with custom certificates, run: satellite-installer --scenario satellite \ --certs-server-cert "/root/ownca/*.example.com/*.example.com.crt" \ --certs-server-key "/root/ownca/*.example.com/*.example.com.key" \ --certs-server-ca-cert "/root/ownca/*.example.com/cacert.crt" To update the certificates on a currently running Red Hat Satellite installation, run: satellite-installer --scenario satellite \ --certs-server-cert "/root/ownca/*.example.com/*.example.com.crt" \ --certs-server-key "/root/ownca/*.example.com/*.example.com.key" \ --certs-server-ca-cert "/root/ownca/*.example.com/cacert.crt" \ --certs-update-server --certs-update-server-ca To use them inside a NEW $CAPSULE, rerun this command with -t capsule [root@sat-6-7-qa-rhel7 *.example.com]# OK, command output on last line looks better now: To use them inside a NEW $CAPSULE, rerun this command with -t capsule Thank you Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:1454 |
Description of problem: If we try to install custom certs on satellite with wildcard i.e CN=*.example.com katello-certs-check gives the wrong output. katello-certs-check gives the command to generate the capsule certs as below instead of satellite-installer command. -------------------------------------------------------------------------------------------------------- To use them inside a NEW $FOREMAN_PROXY, run this command: capsule-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY"\ --certs-tar "~/$FOREMAN_PROXY-certs.tar"\ --server-cert "/customcerts/cert_crt.pem"\ --server-key "/customcerts/cert_key.pem"\ --server-ca-cert "/customcerts/CA_crt.pem"\ To use them inside an EXISTING $FOREMAN_PROXY, run this command INSTEAD: capsule-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY"\ --certs-tar "~/$FOREMAN_PROXY-certs.tar"\ --server-cert "/customcerts/cert_crt.pem"\ --server-key "/customcerts/cert_key.pem"\ --server-ca-cert "/customcerts/CA_crt.pem"\ --certs-update-server -------------------------------------------------------------------------------------------------------- This issue was caused because the fix in the following RFE [RFE] katello-certs-check to distinguish between Satellite and Capsule https://projects.theforeman.org/issues/22694 Version-Release number of selected component (if applicable): satellite6.4