Bug 2052076

Summary: foreman-proxy does not log permissions errors when trying to read ssl_ca.pem
Product: Red Hat Satellite Reporter: Joniel Pasqualetto <jpasqual>
Component: Foreman ProxyAssignee: Adam Ruzicka <aruzicka>
Status: CLOSED ERRATA QA Contact: Vladimír Sedmík <vsedmik>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.10.1CC: aruzicka, inecas, wpinheir
Target Milestone: 6.12.0Keywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-16 13:33:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joniel Pasqualetto 2022-02-08 16:26:46 UTC 
Description of problem:
If somehow the permissions of the file /etc/foreman-proxy/ssl_ca.pem are wrong in a way that the user foreman-proxy can't read it, multiple services will stop working due to the impossibility for the foreman-proxy daemon to validate client certificates sent by foreman when trying to communicate with it.

However, the error that will be returned is completely misleading only saying that it's unable to get local issuer certificate when in fact it simply can't read a file.


Version-Release number of selected component (if applicable):

I check on Satellite 6.10 (foreman-proxy-2.5.2-1.el7sat.noarch) and Satellite 6.9 (foreman-proxy-2.3.1-1.el7sat.noarch)

How reproducible:

Always

Steps to Reproduce:
1. Change the permissions of the file /etc/foreman-proxy/ssl_ca.pem:

~~~
chmod 600 /etc/foreman-proxy/ssl_ca.pem
~~~

2. Restart foreman-proxy service:

~~~
systemctl restart foreman-proxy
~~~

3. Try making a request that needs certificate validation:

~~~
#  curl --cacert /etc/foreman/proxy_ca.pem --cert /etc/foreman/client_cert.pem --key /etc/foreman/client_key.pem https://$(hostname -f):9090/logs
curl: (35) Peer does not recognize and trust the CA that issued your certificate.
~~~

Actual results:
Returns an SSL error to the user and to the logs.


Expected results:
Return an generic SSL error to the user, but on the logs it should be clear that the file couldn't be read.


Additional info:
Comment 1 Joniel Pasqualetto 2022-02-08 17:15:56 UTC 
*** Bug 2052077 has been marked as a duplicate of this bug. ***
Comment 2 Bryan Kearney 2022-03-17 08:05:16 UTC 
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/34613 has been resolved.
Comment 3 Brad Buckingham 2022-07-18 09:45:34 UTC 
Moving to ON_DEV as this is already in 6.12 SNAP 2:
foreman-proxy-3.3.0-1.el8sat.noarch
Comment 4 Vladimír Sedmík 2022-07-26 11:50:49 UTC 
Verified in 6.12.0 snap 3 - message about wrong permissions is logged during the service start

[root@sat ~]# ll /etc/foreman-proxy/ssl_ca.pem
-r--r-----. 1 root foreman-proxy 2537 Jul 21 14:25 /etc/foreman-proxy/ssl_ca.pem
[root@sat ~]# chmod 600 /etc/foreman-proxy/ssl_ca.pem
[root@sat ~]# systemctl restart foreman-proxy
[root@sat ~]# grep permissions /var/log/foreman-proxy/proxy.log
2022-07-26T06:49:29  [E] Unable to read /etc/foreman-proxy/ssl_ca.pem. Are the values correct in settings.yml and do permissions allow reading?
Comment 8 errata-xmlrpc 2022-11-16 13:33:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.12 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:8506