Bug 1951662

Summary: The Artemis client certificate is not updated in truststore if it changes
Product: Red Hat Satellite Reporter: Eric Helms <ehelms>
Component: InstallationAssignee: Eric Helms <ehelms>
Status: CLOSED ERRATA QA Contact: Devendra Singh <desingh>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.9.0CC: dsynk, jsenkyri, jturel, juwatts, ktordeur, kupadhya, mjia, swadeley, zhunting
Target Milestone: 6.9.2Keywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: foreman-installer-2.3.1.13-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-20 18:05:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eric Helms 2021-04-20 16:53:49 UTC 
The java-client cert and key in /etc/pki/katello are correctly updated, and are a valid pair =>

[root@dhcp-2-190 certs]# openssl x509 -noout -modulus -in java-client.crt  | openssl md5
(stdin)= d74483a4ae79b6b2a6ea09afe1b21095
[root@dhcp-2-190 certs]# openssl rsa -noout -modulus -in ../private/java-client.key | openssl md5
(stdin)= d74483a4ae79b6b2a6ea09afe1b21095

However, candlepin's truststore doesn't know about the new java-client.crt (called 'artemis-client' in the store) =>

[root@dhcp-2-190 certs]# keytool -list -keystore truststore
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 2 entries

artemis-client, Dec 10, 2020, trustedCertEntry,
Certificate fingerprint (SHA1): 17:91:F0:47:4C:18:8B:19:57:49:D3:4C:1E:05:38:D9:59:66:82:3B

Compare that fingerprint to /etc/pki/katello/certs/java-client.crt =>

[root@dhcp-2-190 certs]# openssl x509 -noout -fingerprint -sha1 -inform pem -in java-client.crt
SHA1 Fingerprint=2C:E3:3C:D1:B3:A5:01:EF:B7:5E:00:5D:6B:87:DF:6B:CA:28:A3:56

They should match, but don't
Comment 1 Eric Helms 2021-04-20 16:53:53 UTC 
Created from redmine issue https://projects.theforeman.org/issues/31574
Comment 2 Eric Helms 2021-04-20 16:53:55 UTC 
Upstream bug assigned to ehelms
Comment 3 Stephen Wadeley 2021-04-20 18:26:22 UTC 
Hello

We hit this in Pulp3 migration, the workaround:
rm -rf /etc/candlepin/certs/truststore && foreman-installer
Comment 4 Bryan Kearney 2021-04-21 20:01:32 UTC 
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/31574 has been resolved.
Comment 10 Devendra Singh 2021-05-07 05:10:45 UTC 
Verified on 6.9.2 Snap2.

Verification points:

1- Generate the new certificate using the satellite-installer 

satellite-installer  --certs-update-all
2021-05-07 00:57:04 [NOTICE] [root] Loading default values from puppet modules...
2021-05-07 00:57:10 [NOTICE] [root] ... finished
2021-05-07 00:57:13 [NOTICE] [root] Running validation checks
Package versions are locked. Continuing with unlock.
2021-05-07 00:57:24 [NOTICE] [configure] Starting system configuration.
  The total number of configuration tasks may increase during the run.
  Observe logs or specify --verbose-log-level to see individual configuration tasks.
2021-05-07 00:57:39 [NOTICE] [configure] 100 out of 2363 done.
2021-05-07 01:00:09 [NOTICE] [configure] System configuration has finished.
  Success!


2- Checked the certificate at /root/ssl-build/${hostname} location.
# ls -l /root/ssl-build/xyz.com|wc -l
58

3- Remove the certificate from /root/ssl-build/${hostname} and run the installer again and found the certificate updated successfully at  /root/ssl-build/${hostname} location.

# rm -rf /root/ssl-build/xyz.com

# satellite-installer  --certs-update-all 
2021-05-07 01:02:08 [NOTICE] [root] Loading default values from puppet modules...
2021-05-07 01:02:14 [NOTICE] [root] ... finished
2021-05-07 01:02:17 [NOTICE] [root] Running validation checks
Package versions are locked. Continuing with unlock.
2021-05-07 01:02:27 [NOTICE] [configure] Starting system configuration.
  The total number of configuration tasks may increase during the run.
  Observe logs or specify --verbose-log-level to see individual configuration tasks.
2021-05-07 01:02:43 [NOTICE] [configure] 100 out of 2363 done.
....
2021-05-07 01:05:09 [NOTICE] [configure] 3200 out of 3223 done.
2021-05-07 01:05:13 [NOTICE] [configure] System configuration has finished.
  Success!

# ls -l /root/ssl-build/xyz.com|wc -l
58

4- Verified the fixed package 

# rpm -qa|grep foreman-installer-2.3.1.13-1
foreman-installer-2.3.1.13-1.el7sat.noarch
Comment 11 Eric Helms 2021-05-07 13:08:17 UTC 
I think the only part you are missing is either verification of the truststore or if you want to verify Satellite behavior, hitting the ping API and verifying all services are happy.
Comment 12 Devendra Singh 2021-05-07 16:25:28 UTC 
(In reply to Eric Helms from comment #11)
> I think the only part you are missing is either verification of the
> truststore or if you want to verify Satellite behavior, hitting the ping API
> and verifying all services are happy.

Checked candlepin services after the certificate updates and it works fine.

# hammer ping
database:         
    Status:          ok
    Server Response: Duration: 0ms
candlepin:        
    Status:          ok
    Server Response: Duration: 345ms
candlepin_events: 
    Status:          ok
    message:         3 Processed, 0 Failed
    Server Response: Duration: 0ms
candlepin_auth:   
    Status:          ok
    Server Response: Duration: 41ms
katello_events:   
    Status:          ok
    message:         0 Processed, 0 Failed
    Server Response: Duration: 0ms
pulp:             
    Status:          ok
    Server Response: Duration: 279ms
pulp_auth:        
    Status:          ok
    Server Response: Duration: 147ms
foreman_tasks:    
    Status:          ok
    Server Response: Duration: 5ms
Comment 21 errata-xmlrpc 2021-05-20 18:05:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Satellite 6.9.2 Async Bug Fix Update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2074