Bug 1758185

Summary:	katallo-rhsm-consumer improperly handles CA bundles that already exist in system bundles
Product:	Red Hat Satellite	Reporter:	jeff.chapin <jeff.chapin>
Component:	Certificates	Assignee:	Eric Helms <ehelms>
Status:	CLOSED WONTFIX	QA Contact:	Stephen Wadeley <swadeley>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	6.4.2	CC:	ehelms, zhunting
Target Milestone:	Unspecified	Keywords:	Triaged
Target Release:	Unused
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-03-06 14:11:52 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description jeff.chapin@uni.edu 2019-10-03 13:45:56 UTC

Description of problem:

katallo-rhsm-consumer adds katello.pem to trusted system certificates -- even if it includes certificates already in the system bundles:


Version-Release number of selected component (if applicable):
6.4.3

How reproducible:
100%

Steps to Reproduce:
1. Reinstall katello-ca-consumer

Running Transaction
  Updating   : katello-ca-consumer-satellite.admin.uni.edu-1.0-5.noarch 
p11-kit: duplicate 'DigiCert High Assurance EV Root CA' certificate found in: ca-bundle.legacy.crt
p11-kit: duplicate 'DigiCert High Assurance EV Root CA' certificate found in: ca-bundle.legacy.crt
p11-kit: duplicate 'DigiCert High Assurance EV Root CA' certificate found in: ca-bundle.legacy.crt
p11-kit: duplicate 'DigiCert High Assurance EV Root CA' certificate found in: ca-bundle.legacy.crt
p11-kit: duplicate 'DigiCert High Assurance EV Root CA' certificate found in: ca-bundle.legacy.crt
  Cleanup    : katello-ca-consumer-satellite.example.com-1.0-2.noarch 
  Verifying  : katello-ca-consumer-satellite.example.com-1.0-5.noarch 
  Verifying  : katello-ca-consumer-satellite.example.com-1.0-2.noarch
2.katallo-rhsm-consumer also directly run creates these errors

3.

Actual results:

p11-kit: duplicate 'DigiCert High Assurance EV Root CA' certificate found in: ca-bundle.legacy.crt


Expected results:

No errors


Additional info:

This causes issues with some FTPs clients -- the error p11-kit: duplicate 'DigiCert High Assurance EV Root CA' certificate found in: ca-bundle.legacy.crt is thrown when they connect

The issue is that Digicert is already in a bundle, before katello tried to add it again.

Comment 3 Eric Helms 2019-10-24 14:32:48 UTC

As far as I know, given we run update-ca-trust to add our CA certificate to the system CA bundle, there isn't a way to avoid this since update-ca-trust looks at the anchors directory and ensures anything added there is in the bundle.

Comment 4 jeff.chapin@uni.edu 2019-10-28 12:21:28 UTC

So this is a bug with update-ca-trust? It's causing errors and problems when it adds duplicate certs, or is it a bug with Satellite putting a duplicate cert into the anchors directory?

Comment 5 Eric Helms 2019-11-05 20:04:35 UTC

What RHEL version are the clients having this issue?

Comment 6 jeff.chapin@uni.edu 2019-11-05 21:12:19 UTC

RHEL 6 -- I just double checked, and it did not occur on RHEL 7.

Comment 7 Eric Helms 2019-11-14 15:05:38 UTC

From my own testing, this appears to be a bug specific to the version in RHEL 6 that provides update-ca-trust. If there is a duplicate certificate present it throws an issue and there isn't an easy way for us to detect that. I'd suggest this be closed won't fix and/or file a RHEL bug to get an update back ported to RHEL 6.

Comment 8 Eric Helms 2020-03-06 14:11:52 UTC

Please re-file this against RHEL6 to get an updated update-ca-trust package.