Bug 1296301 - Katello-installer and capsule-certs-generate sign certificates with sha1 [NEEDINFO]
Summary: Katello-installer and capsule-certs-generate sign certificates with sha1
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Security
Version: 6.1.5
Hardware: All
OS: All
unspecified
high vote
Target Milestone: Unspecified
Assignee: Katello Bug Bin
QA Contact: Kedar Bidarkar
URL: http://projects.theforeman.org/issues...
Whiteboard:
: 1314418 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-01-06 20:36 UTC by dzr0001
Modified: 2020-01-17 15:38 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-27 09:01:17 UTC
Target Upstream Version:
ahuchcha: needinfo? (kbidarka)


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Article) 2697761 None None None 2016-10-13 05:19:39 UTC
Red Hat Product Errata RHBA-2016:1500 normal SHIPPED_LIVE Red Hat Satellite 6.2 Base Libraries 2016-07-27 12:24:38 UTC

Description dzr0001 2016-01-06 20:36:45 UTC
Description of problem:

Generated certificates are signed with sha1 instead of sha256.

Version-Release number of selected component (if applicable):

6.1.5, likely all

How reproducible:

100%

Steps to Reproduce:

1. Install satellite or generate capsule certificates
2. Inspect certificates

Actual results:

Certificates are signed with a sha1 algorithm

Expected results:

Certificates should be signed with a sha2 algorithm

Additional info:

This appears to have been fixed in katello upstream https://github.com/Katello/katello-certs-tools/commit/b68836ab1b70d085691168dbc3748769c405e522

Comment 1 Bryan Kearney 2016-01-12 18:12:52 UTC
Connecting redmine issue http://projects.theforeman.org/issues/10777 from this bug

Comment 2 Corey Welton 2016-01-12 18:13:48 UTC
QE: ping ehelms or someone else on dev on what ssl commands to use

Comment 8 Kedar Bidarkar 2016-04-01 18:36:34 UTC
[xyz@abc certs]# ls *.crt
abc.redhat.com-apache.crt                abc.redhat.com-qpid-broker.crt
abc.redhat.com-foreman-client.crt        abc.redhat.com-qpid-client-cert.crt
abc.redhat.com-foreman-proxy-client.crt  abc.redhat.com-qpid-router-client.crt
abc.redhat.com-foreman-proxy.crt         abc.redhat.com-qpid-router-server.crt
abc.redhat.com-puppet-client.crt


[xyz@abc certs]# for i in `ls *.crt`; do openssl x509 -text -noout -in $i | grep -i sha256WithRSAEncryption; done
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption


All the certs now use sha256 and not sha1 algorithm

Comment 9 Kedar Bidarkar 2016-04-01 18:36:56 UTC
VERIFIED with sat62-snap6

Comment 10 Stephen Wadeley 2016-04-07 07:24:29 UTC
*** Bug 1314418 has been marked as a duplicate of this bug. ***

Comment 16 errata-xmlrpc 2016-07-27 09:01:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1500


Note You need to log in before you can comment on or make changes to this bug.