Bug 2280065

Summary: Can't update custom certs on the 6.15.0
Product: Red Hat Satellite Reporter: Amar Ganbat <aganbat>
Component: InstallationAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED DUPLICATE QA Contact: Satellite QE Team <sat-qe-bz-list>
Severity: high Docs Contact:
Priority: urgent    
Version: 6.15.0CC: ehelms, pmoravec, rlavi
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-05-30 12:42:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 1 Pavel Moravec 2024-05-11 12:04:29 UTC 
The certs *can* be *generally* updated on 6.15. The above is no reproducer, I can update my certs that way.

What makes the scenario unique / failing? I *think* this bit can be relevant for..

katello-certs-check \
> -c <satellite_cert.pem> \
> -k <satellite_cert_key.pem> \
> -b <ca_cert_bundle.pem>

..:

function check-expiration () {
    CERT_EXP=$(openssl x509 -noout -enddate -in $CERT_FILE | sed -e 's/notAfter=//' | awk '{$NF="";}1')
    CA_EXP=$(openssl x509 -noout -enddate -in $CA_BUNDLE_FILE | sed -e 's/notAfter=//' | awk '{$NF="";}1')

what if <ca_cert_bundle.pem> is a CA chain and *some* intermediate CA is out of validity? The openssl prints just first (or last?) cert details.

We might need to split the CA per:

awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "ca_cert." c ".pem"}' < $CA_BUNDLE_FILE

and get the soonest expiration timestamp from all the ca_cert.*.pem files.


(I should play with this reproducer more, though, but I think this is a real bug in katello-certs-check; maybe independent on the originally reported bug)
Comment 2 Eric Helms 2024-05-30 12:42:01 UTC 

*** This bug has been marked as a duplicate of bug 2174489 ***