1169289 – [RFE] validate custom certificates before Satellite 6 installation

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1169289 - [RFE] validate custom certificates before Satellite 6 installation

Summary: [RFE] validate custom certificates before Satellite 6 installation

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Installation
Sub Component:
Version:	6.0.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	Unspecified
Assignee:	Ivan Necas
QA Contact:	Katello QA List
Docs Contact:
URL:	http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-12-01 09:21 UTC by Ivan Necas
Modified:	2019-11-14 06:33 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-07-29 14:17:00 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
A set of test certificates for testing (8.81 KB, application/x-gzip) 2015-04-08 11:44 UTC, Ivan Necas	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	8609	High	Closed	[RFE] validate custom certificates before Satellite 6 installation	2020-01-20 16:36:53 UTC
Red Hat Knowledge Base (Solution)	1293173	None	None	None	Never
Red Hat Product Errata	RHSA-2015:1592	normal	SHIPPED_LIVE	Important: Red Hat Satellite 6.1.1 on RHEL 6	2015-08-12 09:04:35 UTC

Description Ivan Necas 2014-12-01 09:21:50 UTC

Description of problem:
There are couple of qualities of the provided custom certs that need to be met before the installation can be successful:

 - format of the certificate files
 - the keys working with certs
 - the ca bundle containing all the ca certs up to the root ca
 - the server cert matching the host fqdn


We should validate this qualities before starting with the installation itself,
as it would eliminate the issues people run into caused by some of these prerequisities.

Comment 2 Bryan Kearney 2014-12-03 19:58:56 UTC

Can this be a tool we deliver with satellite that can be run and we document the use of the tool?

Comment 4 Ivan Necas 2014-12-08 12:34:44 UTC

Created redmine issue http://projects.theforeman.org/issues/8609 from this bug

Comment 5 Ivan Necas 2014-12-08 14:09:17 UTC

Proposed solution at https://bugzilla.redhat.com/show_bug.cgi?id=1169289, the script https://github.com/iNecas/katello-installer/blob/issue/8609/bin/katello-certs-check can be used separately for on-site certs investigation

Comment 6 Mike McCune 2015-03-17 14:44:04 UTC

https://github.com/Katello/katello-installer/pull/146

Comment 9 Elyézer Rezende 2015-04-07 13:51:37 UTC

Ivan can you please provide more information about the steps required to verify this bug?

I'm looking for steps to produce a success and a failure output from katello-certs-check script. This in order to make sure that it is working fine.

Thank you

Comment 10 Ivan Necas 2015-04-08 11:44:11 UTC

Created attachment 1012176 [details]
A set of test certificates for testing

Comment 11 Ivan Necas 2015-04-08 11:51:13 UTC

To test the functionality one should follow the documentated steps for setting up custom certs https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.0/html/Installation_Guide/sect-Red_Hat_Satellite-Installation_Guide-Configuring_RednbspHat_Satellite_with_a_Custom_Server_Certificate.html

I've attaches a set of certs one can check. In the failed case, the installation should fail pretty
soon, before proceeding to the installation itself (even the progressbar should not be shown).

For the success case, it should proceed to the installation (you might get errors later
as the fqdn in the certs are not matching the hostname, but that's outside of the scope of this
change.

To explain how the example certificates were prepared: the invalid.example.com is a valid set of certificates
but was issued by a different ca, so the ca cert doesn't match it. This matrix checks, that invalid ca, or key
is caught. 

| ca-cert    | cert                    | key                     | req                         | result |
| cacert.crt | katello.example.com.crt | katello.example.com.key | katello.example.com.crt.req | OK     |
| cacert.crt | invalid.example.com.crt | katello.example.com.key | katello.example.com.crt.req | FAIL   |
| cacert.crt | katello.example.com.crt | invalid.example.com.key | katello.example.com.crt.req | FAIL   |
| cacert.crt | invalid.example.com.crt | invalid.example.com.key | katello.example.com.crt.req | FAIL   |

Comment 13 Tazim Kolhar 2015-06-05 10:47:47 UTC

FAILEDQA:
# rpm -qa | grep foreman
foreman-compute-1.7.2.26-1.el6_6sat.noarch
ruby193-rubygem-foreman-redhat_access-0.1.0-1.el6_6sat.noarch
rubygem-hammer_cli_foreman-0.1.4.13-1.el6_6sat.noarch
foreman-vmware-1.7.2.26-1.el6_6sat.noarch
ruby193-rubygem-foreman_bootdisk-4.0.2.13-1.el6_6sat.noarch
ruby193-rubygem-foreman_gutterball-0.0.1.9-1.el6_6sat.noarch
foreman-postgresql-1.7.2.26-1.el6_6sat.noarch
foreman-libvirt-1.7.2.26-1.el6_6sat.noarch
ruby193-rubygem-foreman-tasks-0.6.12.7-1.el6_6sat.noarch
rubygem-hammer_cli_foreman_bootdisk-0.1.2.7-1.el6_6sat.noarch
rubygem-hammer_cli_foreman_docker-0.0.3.6-1.el6_6sat.noarch
foreman-selinux-1.7.2.13-1.el6_6sat.noarch
foreman-debug-1.7.2.26-1.el6_6sat.noarch
foreman-ovirt-1.7.2.26-1.el6_6sat.noarch
foreman-gce-1.7.2.26-1.el6_6sat.noarch
ruby193-rubygem-foreman_discovery-2.0.0.15-1.el6_6sat.noarch
foreman-proxy-1.7.2.5-1.el6_6sat.noarch
rubygem-hammer_cli_foreman_tasks-0.0.3.4-1.el6_6sat.noarch
intel-s3e3432-01.rhts.eng.bos.redhat.com-foreman-proxy-client-1.0-1.noarch
intel-s3e3432-01.rhts.eng.bos.redhat.com-foreman-proxy-1.0-2.noarch
ruby193-rubygem-foreman_docker-1.2.0.14-1.el6_6sat.noarch
intel-s3e3432-01.rhts.eng.bos.redhat.com-foreman-client-1.0-1.noarch
foreman-1.7.2.26-1.el6_6sat.noarch
ruby193-rubygem-foreman_hooks-0.3.7-2.el6_6sat.noarch
rubygem-hammer_cli_foreman_discovery-0.0.1.10-1.el6_6sat.noarch


steps
# katello-installer --certs-server-cert /root/ownca/intel-s3e3432-01.rhts.eng.bos.redhat.com/intel-s3e3432-01.rhts.eng.bos.redhat.com.crt --certs-server-cert-req /root/ownca/intel-s3e3432-01.rhts.eng.bos.redhat.com/intel-s3e3432-01.rhts.eng.bos.redhat.com.crt.req --certs-server-key /root/ownca/intel-s3e3432-01.rhts.eng.bos.redhat.com/intel-s3e3432-01.rhts.eng.bos.redhat.com.key --certs-server-ca-cert /root/ownca/cacert.crt --certs-update-server --certs-update-server-ca
Marking certificate /root/ssl-build/intel-s3e3432-01.rhts.eng.bos.redhat.com/intel-s3e3432-01.rhts.eng.bos.redhat.com-apache for update
Marking certificate /root/ssl-build/intel-s3e3432-01.rhts.eng.bos.redhat.com/intel-s3e3432-01.rhts.eng.bos.redhat.com-foreman-proxy for update
Marking certificate /root/ssl-build/katello-server-ca for update
 /Stage[main]/Apache::Service/Service[httpd]: Failed to call refresh: Could not start Service[httpd]: Execution of '/sbin/service httpd start' returned 1: Starting httpd: [FAILED]
 /Stage[main]/Apache::Service/Service[httpd]: Could not start Service[httpd]: Execution of '/sbin/service httpd start' returned 1: Starting httpd: [FAILED]
 /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[intel-s3e3432-01.rhts.eng.bos.redhat.com]: Could not evaluate: Connection refused - connect(2)
 /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[intel-s3e3432-01.rhts.eng.bos.redhat.com]: Failed to call refresh: Connection refused - connect(2)
 /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[intel-s3e3432-01.rhts.eng.bos.redhat.com]: Connection refused - connect(2)
Installing             Done                                               [100%] [..................................................................]
  Something went wrong! Check the log for ERROR-level output
  The full log is at /var/log/katello-installer/katello-installer.log

Comment 17 errata-xmlrpc 2015-08-12 05:20:04 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:1592

Comment 18 sthirugn@redhat.com 2015-08-14 20:46:41 UTC

Accidentally closed with 6.1.1 errata

Comment 19 Bryan Kearney 2016-07-29 14:04:40 UTC

Upstream bug assigned to inecas

Comment 20 Stephen Benjamin 2016-07-29 14:17:00 UTC

The upstream issue is closed since a year, and the code was included as part of Satellite 6.2's installer.

Note You need to log in before you can comment on or make changes to this bug.