Bug 2239494
| Summary: | foreman-proxy does not send full certificate chain | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Joniel Pasqualetto <jpasqual> |
| Component: | Foreman Proxy | Assignee: | satellite6-bugs <satellite6-bugs> |
| Status: | CLOSED MIGRATED | QA Contact: | Satellite QE Team <sat-qe-bz-list> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.13.5 | CC: | aruzicka, David.Gersting, ehelms, rlavi, wpinheir |
| Target Milestone: | Unspecified | Keywords: | MigratedToJIRA, Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2024-06-06 16:29:28 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Bulk setting Target Milestone = 6.15.0 where sat-6.15.0+ is set. *** Bug 2251075 has been marked as a duplicate of this bug. *** This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there. Due to differences in account names between systems, some fields were not replicated. Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information. To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "SAT-" followed by an integer. You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like: "Bugzilla Bug" = 1234567 In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information. |
Description of problem: When establishing a SSL connection against foreman-proxy configured with custom certs which use a bundle with root + intermediate certificates, the full certificate chain is not presented to the client. This requires that the client establishing the connection trust all the intermediate CAs of the bundle for it to work. If the full certificate chain is present, the client only needs to trust the ROOT CA for the connection to be verified. This is important for customer using custom certs and doing registration through capsules, since a registration command goes to port 9090. Apache, for example, do offer the full certificate chain. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Configure your Satellite/Capsule to use custom certs and provide a bundle with more than one certificate 2. try establishing a connection the foreman-proxy and check the certificates sent by the server: ~~~ echo |openssl s_client -connect $(hostname -f):9090 -showcerts 2> /dev/null |awk -v cmd='openssl x509 -noout -subject ' ' /BEGIN/{close(cmd)};{print | cmd}' 2> /dev/null ~~~ You will see only the Server certificate Actual results: Only server certificate is present, no CA chain. Expected results: Full certificate chain present Additional info: I do have a patch to smart-proxy that appears to work on my lab. Will send it as a PR upstream for evaluation.