Bug 1658360
| Summary: | katello-certs-check is not showing satellite-installer command if wildcard SSL certificate is used. | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Anto P Joseph <ajoseph> |
| Component: | Certificates | Assignee: | Chris Roberts <chrobert> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Omkar Khatavkar <okhatavk> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.4 | CC: | chrobert, ehelms, gpayelka, jeff.chapin, ktordeur, whitedm, zhunting |
| Target Milestone: | Unspecified | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-17 20:54:56 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
The symptoms described in this bug affect Satellite 6.5.1, as I just worked with Red Hat Support to install a wildcard cert onto our existing Satellite server.
(As an aside, RHEL support was able to give me the `satellite-installer` command, and I now have my SSL cert installed -- I'm not requesting support in this post, but am rather providing additional information).
The 'katello-certs-check' output validated everything, but this line is interesting:
/sbin/katello-certs-check: line 168: [: too many arguments
Full stdout from katello-certs-check -c foo.crt -k foo.key -b foo.ca-bundle:
Checking server certificate encoding:
[OK]
Checking expiration of certificate:
[OK]
Checking expiration of CA bundle:
[OK]
Checking if server certificate has CA:TRUE flag
[OK]
Checking to see if the private key matches the certificate:
[OK]
Checking CA bundle against the certificate file:
[OK]
Checking Subject Alt Name on certificate
[OK]
Checking Key Usage extension on certificate for Key Encipherment
[OK]
/sbin/katello-certs-check: line 168: [: too many arguments
Validation succeeded
To use them inside a NEW $CAPSULE, run this command:
capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE" \
--certs-tar "~/$CAPSULE-certs.tar" \
--server-cert "/root/foo.crt" \
--server-key "/root/foo.key" \
--server-ca-cert "/root/foo.ca-bundle" \
To use them inside an EXISTING $CAPSULE, run this command INSTEAD:
capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE" \
--certs-tar "~/$CAPSULE-certs.tar" \
--server-cert "/root/foo.crt" \
--server-key "/root/foo.key" \
--server-ca-cert "/root/foo.ca-bundle" \
--certs-update-server
see also Bug 1758181 - katello-certs-check does not support wildcard certificates (In reply to Stephen Wadeley from comment #10) > see also > > Bug 1758181 - katello-certs-check does not support wildcard certificates Bug 1654326 - katello-certs-check gives the wrong output if using certificate with wildcard *** Bug 1758181 has been marked as a duplicate of this bug. *** Testing this with Satellite 6.8, and a set of self generated wildcard certificates I am not able to reproduce. Therefore, I am going to opt to close this current release. If this continues to be an issue, please re-open with details about the version of Satellite and any details about the certificates being used that you can supply without giving away your certificates. |
Description of problem: katello-certs-check is not showing satellite-installer command if wildcard SSL certificate is used. Satellite FQDN(hostname) : satellite.example.com Wildcard certificates (Subject: CN = *.example.com) Running katello-certs-check # katello-certs-check -c wildcard_sat.crt -k wildcard_sat.key -b chain.cert > validation succeeded is printing the only capsule related commands. ============= To use them inside a NEW $FOREMAN_PROXY, run this command: capsule-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY"\ --certs-tar "~/$FOREMAN_PROXY-certs.tar"\ --server-cert "~/wildcard_sat.crt"\ --server-key "~/wildcard_sat.key"\ --server-ca-cert "chain.cert"\ To use them inside an EXISTING $FOREMAN_PROXY, run this command INSTEAD: capsule-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY"\ --certs-tar "~/$FOREMAN_PROXY-certs.tar"\ --server-cert "~/wildcard_sat.crt"\ --server-key "~/wildcard_sat.key"\ --server-ca-cert "chain.cert"\ --certs-update-server ============== Upon checking following changes noticed. ======== vim /usr/sbin/katello-certs-check # Script is ending with Following conditions #In Satellite 6.2 if [ $EXIT_CODE == "0" ]; then >>>> satellite-installer command & capsule-cert-generate commands #In Satellite 6.4 if [ $EXIT_CODE == "0" -a $CERT_HOSTNAME == $HOSTNAME ]; then >>>> satellite installer command ISSUE : WildCard doesn't fall under this $CERT_HOSTNAME != $HOSTNAME (*.example.com != satellite.example.com) --- elif [ $EXIT_CODE == "0" ]; then >>>> capsule certs-generate command printed ======== Is this expected? Planned from Satellite 6.4? Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: If wildcard SSL is used, katello-certs-check is returning EXAMPLE "capsule-certs-check" commands only. Expected results: katello-certs-check should return EXAMPLES of "satellite-installer" and "capsule-certs-check" commands. Additional info: