Bug 2251075

Summary: foreman-proxy/9090 it's not presenting the complete chain when using custom certs
Product: Red Hat Satellite Reporter: Waldirio M Pinheiro <wpinheir>
Component: Foreman ProxyAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED DUPLICATE QA Contact: Satellite QE Team <sat-qe-bz-list>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.14.0CC: aruzicka
Target Milestone: Unspecified   
Target Release: Unused   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-22 18:36:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Waldirio M Pinheiro 2023-11-22 18:27:26 UTC 
Description of problem:
When using custom certs, we cannot see the complete chain when hitting the port 9090

Version-Release number of selected component (if applicable):
6.14

How reproducible:
100%

Steps to Reproduce:
1. Install satellite
2. Deploy custom-certs
3. Hit the port 443 and 9090

Actual results:
The 9090 will present a single chain pointing to the intermediate

Expected results:
See the complete chain

Additional info:
Comment 1 Waldirio M Pinheiro 2023-11-22 18:36:21 UTC 
Hello,

When using the self-sign certs, we can see the full chain, as presented below

443
=====
$ echo | openssl s_client -connect wallsat614.d.sysmgmt.cee.redhat.com:443
...
Certificate chain
 0 s:C = US, ST = North Carolina, O = Katello, OU = SomeOrgUnit, CN = wallsat614.d.sysmgmt.cee.redhat.com
   i:C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = wallsat614.d.sysmgmt.cee.redhat.com
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 11 00:45:18 2023 GMT; NotAfter: Jan 18 00:45:20 2038 GMT
 1 s:C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = wallsat614.d.sysmgmt.cee.redhat.com
   i:C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = wallsat614.d.sysmgmt.cee.redhat.com
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 18 00:45:12 2023 GMT; NotAfter: Jan 18 00:45:12 2038 GMT
...
=====


9090
=====
$ echo | openssl s_client -connect wallsat614.d.sysmgmt.cee.redhat.com:9090
...
Certificate chain
 0 s:C = US, ST = North Carolina, O = FOREMAN, OU = SMART_PROXY, CN = wallsat614.d.sysmgmt.cee.redhat.com
   i:C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = wallsat614.d.sysmgmt.cee.redhat.com
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 11 00:45:30 2023 GMT; NotAfter: Jan 18 00:45:32 2038 GMT
 1 s:C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = wallsat614.d.sysmgmt.cee.redhat.com
   i:C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = wallsat614.d.sysmgmt.cee.redhat.com
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 18 00:45:12 2023 GMT; NotAfter: Jan 18 00:45:12 2038 GMT
...
=====

However, when using the custom certs, this is the output

# echo | openssl s_client -connect $(hostname):443
---
Certificate chain
 0 s:CN = wallsat614customcert.d.sysmgmt.cee.redhat.com
   i:C = CA, ST = British Columbia, O = Wallys Co, OU = Wallys Co CA-IT, CN = Wallys Intermediate CA
 1 s:C = CA, ST = British Columbia, O = Wallys Co, OU = Wallys Co CA-IT, CN = Wallys Intermediate CA
   i:C = CA, ST = British Columbia, L = New Westminster, O = Wallys Co, OU = Wallys Co CA-IT, CN = Wallys Root CA, emailAddress = waldirio
 2 s:C = CA, ST = British Columbia, L = New Westminster, O = Wallys Co, OU = Wallys Co CA-IT, CN = Wallys Root CA, emailAddress = waldirio
   i:C = CA, ST = British Columbia, L = New Westminster, O = Wallys Co, OU = Wallys Co CA-IT, CN = Wallys Root CA, emailAddress = waldirio
---


# echo | openssl s_client -connect $(hostname):9090
---
Certificate chain
 0 s:CN = wallsat614customcert.d.sysmgmt.cee.redhat.com
   i:C = CA, ST = British Columbia, O = Wallys Co, OU = Wallys Co CA-IT, CN = Wallys Intermediate CA
---


One important information, though. When redirecting the complete output, we can see the depth info, which presents the complete chain
---
# echo | openssl s_client -connect $(hostname):443 &>/tmp/443.log

[root@wallsat614customcert ~]# head -n 20 /tmp/443.log 
depth=2 C = CA, ST = British Columbia, L = New Westminster, O = Wallys Co, OU = Wallys Co CA-IT, CN = Wallys Root CA, emailAddress = waldirio
verify return:1
depth=1 C = CA, ST = British Columbia, O = Wallys Co, OU = Wallys Co CA-IT, CN = Wallys Intermediate CA
verify return:1
depth=0 CN = wallsat614customcert.d.sysmgmt.cee.redhat.com
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:CN = wallsat614customcert.d.sysmgmt.cee.redhat.com
   i:C = CA, ST = British Columbia, O = Wallys Co, OU = Wallys Co CA-IT, CN = Wallys Intermediate CA
 1 s:C = CA, ST = British Columbia, O = Wallys Co, OU = Wallys Co CA-IT, CN = Wallys Intermediate CA
   i:C = CA, ST = British Columbia, L = New Westminster, O = Wallys Co, OU = Wallys Co CA-IT, CN = Wallys Root CA, emailAddress = waldirio
 2 s:C = CA, ST = British Columbia, L = New Westminster, O = Wallys Co, OU = Wallys Co CA-IT, CN = Wallys Root CA, emailAddress = waldirio
   i:C = CA, ST = British Columbia, L = New Westminster, O = Wallys Co, OU = Wallys Co CA-IT, CN = Wallys Root CA, emailAddress = waldirio
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGIDCCBAigAwIBAgICEAMwDQYJKoZIhvcNAQELBQAwdzELMAkGA1UEBhMCQ0Ex
GTAXBgNVBAgMEEJyaXRpc2ggQ29sdW1iaWExEjAQBgNVBAoMCVdhbGx5cyBDbzEY
---

*** This bug has been marked as a duplicate of bug 2239494 ***