Bug 1129788 - rhn-ssl-tool garbles server.pem when used with a 3rd-party CA
Summary: rhn-ssl-tool garbles server.pem when used with a 3rd-party CA
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Installer
Version: 560
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Jan Dobes
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
Depends On:
Blocks: 462714
TreeView+ depends on / blocked
 
Reported: 2014-08-13 16:37 UTC by Peter Oliver
Modified: 2018-04-09 11:20 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-09 11:20:56 UTC


Attachments (Terms of Use)

Description Peter Oliver 2014-08-13 16:37:01 UTC
I've encountered a couple of problems when trying to use rhn-ssl-tool to package keys and certificates for use with jabberd.

- It appears that server.pem is not truncated when opened for writing by rhn-ssl-tool; some of the previous contents can be found at the end of the file.
- Only the Satellite's certificate and keypair are written to server.pem.  I believe that this file needs to contain the entire certificate chain up to the root CA for XMPP clients to be able to verify the Satellite's certificate.

Steps to Reproduce:
sudo rhn-ssl-tool --gen-server --dir=/root/ssl-build --key-only
sudo rhn-ssl-tool --gen-server --dir=/root/ssl-build --cert-req-only --set-country ... --set-state ... --set-city ... --set-org ... --set-org-unit ... --set-email ...
Acquire a signed cert and placed it in /root/ssl-build/`hostname --short`/server.csr
sudo rhn-ssl-tool --gen-server --dir=/root/ssl-build --rpm-only
sudo rpm -Uhv /root/ssl-build/.../rhn-org-httpd-ssl-key-pair-...-1.0-5.noarch.rpm
sudo service jabberd start && sudo service osa-dispatcher start
Initializing jabberd processes ...
Starting router:                                           [  OK  ]
Starting sm:                                               [  OK  ]
Starting c2s:                                              [  OK  ]
Starting s2s:                                              [  OK  ]
Starting osa-dispatcher: Spacewalk 14195 2014/08/13 17:32:06 +01:00: ('Traceback caught:',)
Spacewalk 14195 2014/08/13 17:32:06 +01:00: ('Traceback (most recent call last):\n  File "/usr/share/rhn/osad/jabber_lib.py", line 616, in connect\n    ssl.do_handshake()\nError: [(\'SSL routines\', \'SSL3_GET_SERVER_CERTIFICATE\', \'certificate verify failed\')]\n',)
                                                           [FAILED]

Comment 2 Tomas Lestach 2018-04-09 11:20:56 UTC
We have re-reviewed this bug, as part of an ongoing effort to improve Satellite/Proxy feature and bug updates, review and backlog.

This is a low priority bug and has no currently open customer cases. While this bug may still valid, we do not see it being implemented prior to the EOL of the Satellite 5.x product. As such, this is being CLOSED DEFERRED. 

Closing now to help set customer expectations as early as possible. You are welcome to re-open this bug if needed.


Note You need to log in before you can comment on or make changes to this bug.