Bug 1402011 - Custom SSL certificates was not applied correctly
Summary: Custom SSL certificates was not applied correctly
Keywords:
Status: CLOSED DUPLICATE of bug 1306964
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Installation
Version: 6.2.1
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: Katello QA List
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-12-06 15:03 UTC by Michael Arbet
Modified: 2016-12-06 16:18 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-12-06 16:18:00 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Michael Arbet 2016-12-06 15:03:18 UTC 
Description of problem:
Issue occured when I tried to apply custom SSL certificates using command 
satellite-installer --scenario satellite -
  -certs-server-cert $PWD/satosix.crt
  --certs-server-cert-req $PWD/satosix.csr
  --certs-server-key $PWD/satosix.key
  --certs-server-ca-cert $PWD/RHCA-chain1.crt
  --certs-update-server
  --certs-update-server-ca

Certificate itself has been applied correctly, however the CA certificate chain hasn't been. Long investigation showed that an old certificate chain remained in use for httpd. The command has been found in official documentation and also in output of 'katelo-certs-check' command.

So...in those two files:
  /etc/httpd/conf.d/03-crane.conf
  /etc/httpd/conf.d/03-foreman-ssl.conf

was found following content (common for both):
  SSLCertificateChainFile "/etc/pki/katello/certs/katello-default-ca.crt"
  SSLCACertificateFile    "/etc/pki/katello/certs/katello-default-ca.crt"

I found that on given path (/etc/pki/katello/certs) wer both files, 'katello-default-ca.crt' and also the one added by command above, now named 'katello-server-ca.crt' When I changed the word 'default' to 'server' in configuration files and restarted apache, the satellite provided all correct information when establising https connection. I believe config files were not altered correctly.

I consider my change just as workaround to the described malfunction in satellite setup process.

Also... I remember that right after very first run of the command for certificates setup everything worked, only later it stopeed (the provided CA chain was replaced by default one). Maybe puppet involved in this... I will observe the behavior and report if anything changes.
Comment 1 Michael Arbet 2016-12-06 15:55:28 UTC 
Another issue found:

regardless web services work over https with correct CA chain, there is also katello certificate .rpm package for download that still provides file 'katello-default-ca.crt' - the old one instead newly applied. Result is: no packages will be applied no updates... nothing from that satelilite server. Thus my previous workaround is not good enough.

I assume rewriting the -default-ca file with new content would work better, however. fixing that bug in satellite is the right solution.

Kind regards
-michael arbet-
Comment 2 Stephen Benjamin 2016-12-06 16:18:00 UTC 
The first issue is a duplicate of BZ1306964.

Please open a separate bug for the RPM issue if it needs one, although if you're on 6.2.1, you could be hitting https://bugzilla.redhat.com/show_bug.cgi?id=1283865.

*** This bug has been marked as a duplicate of bug 1306964 ***
Note You need to log in before you can comment on or make changes to this bug.