Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1930782

Summary: Registering RHEL 8 host with FUTURE crypto policy to Satellite using 4096 bit certificate signed by 2048 fails with generic CERTIFICATE_VERIFY_FAILED error.
Product: Red Hat Satellite Reporter: Jaroslav Krajicek <jkrajice>
Component: CertificatesAssignee: Eric Helms <ehelms>
Status: CLOSED CURRENTRELEASE QA Contact: Omkar Khatavkar <okhatavk>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.8.0CC: ahumbe, egolov, ehelms, gpayelka, jkrajice, ktordeur, zhunting
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-03 17:26:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jaroslav Krajicek 2021-02-19 14:59:49 UTC 
Description of problem:
When using custom certificates on Satellite 6.8,
generating 4096 bit certificate and signing with 2048 bit CA,
katello-certs-check passes and installer applies certificates correctly,
but RHEL hosts with FUTURE policy set are unable to subscribe.

Given the weak signature weakens the cryptographic strength of the chain,
I'd see this as correct behavior, however the error is same as in other instances and it is unclear where the issue originates from.

Version-Release number of selected component (if applicable):
Satellite 6.8

How reproducible:
Consistently

Steps to Reproduce:
1. Generate 4096 bit certificate with OpenSSL
2. Generate request to sign the certificate
3. Sign the certificate with 2048 CA
4. katello-cert-check and install certificate on Satellite
5. Try to register RHEL 8 host with FUTURE crypto policy set

Actual results:
`Unable to verify server's identity: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)`

Expected results:
a) Warning or stopping the Satellite operator during katello-cert-check
b) Having a specific / easy to trace error output on the host during registration

Additional info:
Extracted and modified `ownca` commands can be used for easy reproduction,
using 4096 / 2048 bit keys and operations respectively
Comment 1 Jaroslav Krajicek 2021-02-19 15:32:51 UTC 
Reproduction:

~~~
######################################################################## 100.0%
Generating a 2048 bit RSA private key
.................+++
........+++
writing new private key to 'private/cakey.crt'
-----
Generating RSA private key, 4096 bit long modulus
...................................++
........................................................................................................................................................................................................................................++
e is 65537 (0x10001)
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :ASN.1 12:'State'
localityName          :ASN.1 12:'City'
organizationName      :ASN.1 12:'Organization'
organizationalUnitName:ASN.1 12:'Division'
commonName            :ASN.1 12:'satellite.example.com'
Certificate is to be certified until Feb 19 15:12:03 2022 GMT (365 days)

Write out database with 1 new entries
Data Base Updated
Checking server certificate encoding: 
[OK]

Checking expiration of certificate: 
[OK]

Checking expiration of CA bundle: 
[OK]

Checking if server certificate has CA:TRUE flag 
[OK]

Checking for private key passphrase: 
[OK]

Checking to see if the private key matches the certificate: 
[OK]

Checking CA bundle against the certificate file: 
[OK]

Checking CA bundle size: 
[OK]

Checking Subject Alt Name on certificate 
[OK]

Checking Key Usage extension on certificate for Key Encipherment 
[OK]

Validation succeeded


To install the Red Hat Satellite Server with the custom certificates, run:

    satellite-installer --scenario satellite \
                      --certs-server-cert "/tmp/tmp.MV0JwM63nw/satellite_cert.pem" \
                      --certs-server-key "/tmp/tmp.VdEfT9W0Ou/satellite_cert_key.pem" \
                      --certs-server-ca-cert "/tmp/tmp.MV0JwM63nw/cacert.crt"

To update the certificates on a currently running Red Hat Satellite installation, run:

    satellite-installer --scenario satellite \
                      --certs-server-cert "/tmp/tmp.MV0JwM63nw/satellite_cert.pem" \
                      --certs-server-key "/tmp/tmp.VdEfT9W0Ou/satellite_cert_key.pem" \
                      --certs-server-ca-cert "/tmp/tmp.MV0JwM63nw/cacert.crt" \
                      --certs-update-server --certs-update-server-ca
To use them inside a NEW $CAPSULE, rerun this command with -t capsule
Package versions are locked. Continuing with unlock.
Marking certificate /root/ssl-build/satellite.example.com/satellite.example.com-apache for update
Marking certificate /root/ssl-build/satellite.example.com/satellite.example.com-foreman-proxy for update
Marking certificate /root/ssl-build/katello-server-ca for update
Preparing installation Done                                              
  Success!
  * Satellite is running at https://satellite.example.com

  * To install an additional Capsule on separate machine continue by running:

      capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE" --certs-tar "/root/$CAPSULE-certs.tar"

  * To upgrade an existing 6.7 Capsule to 6.8:
      Please see official documentation for steps and parameters to use when upgrading a 6.7 Capsule to 6.8.

  * Capsule is running at https://satellite.example.com:9090
  The full log is at /var/log/foreman-installer/satellite.log
Package versions are being locked.

[...satellite-installer omitted...]
~~~

~~~
# openssl verify -verbose -CAfile "/tmp/tmp.MV0JwM63nw/cacert.crt" "/tmp/tmp.MV0JwM63nw/satellite_cert.pem"
/tmp/tmp.MV0JwM63nw/satellite_cert.pem: OK
~~~

On RHEL 8 host:
~~~
[~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.3 (Ootpa)

[~]# update-crypto-policies --set FUTURE
Setting system policy to FUTURE
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.

[~]# rpm -e $(rpm -qa 'katello-ca-consumer*'); rpm -Uvh http://satellite.example.com/pub/katello-ca-consumer-latest.noarch.rpm
Retrieving http://satellite.example.com/pub/katello-ca-consumer-latest.noarch.rpm
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:katello-ca-consumer-satellite.exa################################# [100%]

[~]# subscription-manager register --user admin --pass redhat
Registering to: satellite.example.com:443/rhsm
Unable to verify server's identity: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)

[~]# update-crypto-policies --set DEFAULT
Setting system policy to DEFAULT
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.

[~]# subscription-manager register --user admin --pass redhat
Registering to: satellite.example.com:443/rhsm
The system has been registered with ID: 11dbef61-6651-43ff-9faa-67f6ee60d3d3
The registered system name is: host.example.com
~~~
Comment 4 Evgeni Golov 2022-01-25 14:45:18 UTC 
Should katello-certs-check issue an information to the user, that a 2k CA might be insufficient in some cases?
Probably doesn't deserve a warning as it's OK in *most* cases, but not if you have FUTURE-enabled clients?
Comment 7 Eric Helms 2022-05-03 17:26:51 UTC 
As the core of this BZ has been fixed and released already, I am opting to close as current release.