Bug 1803027

Summary: RHEL8 clients with FUTURE policy get error EE certificate key too weak
Product: Red Hat Satellite Reporter: Kenny Tordeurs <ktordeur>
Component: RegistrationAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED DEFERRED QA Contact: Stephen Wadeley <swadeley>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.6.0CC: bkearney, javier.leonperis, jlenz, juhlir, satellite6-bugs, smozowei
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
Cause: Only new installations of Red Hat Satellite 6.8 and later will generate 4096-bit certificates. Upgrading from Red Hat Satellite 6.7, which generated 2048-bit RSA certificates, will not update the certificates to 4096-bit Consequence: RHEL8 Clients that have the crypto policy set to FUTURE cannot perform yum actions. Workaround (if any): https://access.redhat.com/solutions/5393241 Red Hat Enterprise Linux 8 clients with FUTURE policy get error: EE certificate key too weak Result: Customers upgrading from Satellite 6.7 and wanting to use RHEL8 Clients that have the crypto policy set to FUTURE must follow the solution.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-11 21:01:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kenny Tordeurs 2020-02-14 10:55:33 UTC 
Description of problem:
RHEL8 Clients that have the crypto policy set to FUTURE cannot perform yum actions because the Certificate that is currently available is considered too weak for the FUTURE crypto policy.

Version-Release number of selected component (if applicable):
Satellite 6.6
RHEL8

How reproducible:
100%

Steps to Reproduce:
- Register RHEL8 client to Satellite
- update-crypto-policies --set FUTURE
- Try yum command

Actual results:
# yum repolist -v
~~~
Loaded plugins: builddep, changelog, config-manager, copr, debug, debuginfo-install, download, generate_completion_cache, needs-restarting, playground, product-id, repoclosure, repodiff, repograph, repomanage, reposync, subscription-manager, uploadprofile
Updating Subscription Management repositories.

DNF version: 4.2.7
cachedir: /var/cache/dnf
error: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://ktordeur-sat65.sysmgmt.lan/pulp/repos/Default_Organization/Library/RHEL8/content/dist/rhel8/8/x86_64/appstream/os/repodata/repomd.xml [SSL certificate problem: EE certificate key too weak] (https://ktordeur-sat65.sysmgmt.lan/pulp/repos/Default_Organization/Library/RHEL8/content/dist/rhel8/8/x86_64/appstream/os/repodata/repomd.xml).
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                                                                                                                                                      0.0  B/s |   0  B     00:00    
Cannot download 'https://ktordeur-sat65.sysmgmt.lan/pulp/repos/Default_Organization/Library/RHEL8/content/dist/rhel8/8/x86_64/appstream/os': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried.
Failed to download metadata for repo 'rhel-8-for-x86_64-appstream-rpms'
Error: Failed to download metadata for repo 'rhel-8-for-x86_64-appstream-rpms'
~~~

Expected results:
No errors

Additional info:
This is explained in:
https://access.redhat.com/solutions/4740591
https://access.redhat.com/articles/3666211
Comment 3 Susana Mozo Weisz 2020-03-30 09:27:38 UTC 
Hi,

Customer is asking for a tentative release date. Please, could you give me some information?

Best regards

Susana
Comment 4 John B 2020-04-06 13:01:54 UTC 
Also very interested in the timing of the fix, or proposed workaround.  Thank you.
Comment 5 Susana Mozo Weisz 2020-04-16 10:12:01 UTC 
Hello,

Any news? Customer is asking.


Best regards

Susana
Comment 9 Jeremy Lenz 2020-08-19 14:31:18 UTC 
Hi all,

Our team is now actively working on a solution for this.  Stay tuned!
Comment 10 Jeremy Lenz 2020-09-11 20:16:16 UTC 
Please see the new KB doc created to address this issue: https://access.redhat.com/solutions/5393241
Comment 11 Jeremy Lenz 2020-09-11 21:01:15 UTC 
In a future (no pun intended) version of Satellite, perhaps we can provide an easier, more automated solution.  Until then, performing the steps in the linked KB doc should resolve the issue.