Bug 1296301 - Katello-installer and capsule-certs-generate sign certificates with sha1 [NEEDINFO]
Katello-installer and capsule-certs-generate sign certificates with sha1
Status: CLOSED ERRATA
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Security (Show other bugs)
6.1.5
All All
unspecified Severity high (vote)
: Beta
: --
Assigned To: Katello Bug Bin
Kedar Bidarkar
http://projects.theforeman.org/issues...
: Triaged
: 1314418 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-06 15:36 EST by dzr0001
Modified: 2017-02-13 07:58 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-07-27 05:01:17 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
ahuchcha: needinfo? (kbidarka)


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Article) 2697761 None None None 2016-10-13 01:19 EDT

  None (edit)
Description dzr0001 2016-01-06 15:36:45 EST
Description of problem:

Generated certificates are signed with sha1 instead of sha256.

Version-Release number of selected component (if applicable):

6.1.5, likely all

How reproducible:

100%

Steps to Reproduce:

1. Install satellite or generate capsule certificates
2. Inspect certificates

Actual results:

Certificates are signed with a sha1 algorithm

Expected results:

Certificates should be signed with a sha2 algorithm

Additional info:

This appears to have been fixed in katello upstream https://github.com/Katello/katello-certs-tools/commit/b68836ab1b70d085691168dbc3748769c405e522
Comment 1 Bryan Kearney 2016-01-12 13:12:52 EST
Connecting redmine issue http://projects.theforeman.org/issues/10777 from this bug
Comment 2 Corey Welton 2016-01-12 13:13:48 EST
QE: ping ehelms or someone else on dev on what ssl commands to use
Comment 8 Kedar Bidarkar 2016-04-01 14:36:34 EDT
[xyz@abc certs]# ls *.crt
abc.redhat.com-apache.crt                abc.redhat.com-qpid-broker.crt
abc.redhat.com-foreman-client.crt        abc.redhat.com-qpid-client-cert.crt
abc.redhat.com-foreman-proxy-client.crt  abc.redhat.com-qpid-router-client.crt
abc.redhat.com-foreman-proxy.crt         abc.redhat.com-qpid-router-server.crt
abc.redhat.com-puppet-client.crt


[xyz@abc certs]# for i in `ls *.crt`; do openssl x509 -text -noout -in $i | grep -i sha256WithRSAEncryption; done
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption


All the certs now use sha256 and not sha1 algorithm
Comment 9 Kedar Bidarkar 2016-04-01 14:36:56 EDT
VERIFIED with sat62-snap6
Comment 10 Stephen Wadeley 2016-04-07 03:24:29 EDT
*** Bug 1314418 has been marked as a duplicate of this bug. ***
Comment 16 errata-xmlrpc 2016-07-27 05:01:17 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1500

Note You need to log in before you can comment on or make changes to this bug.