Description of problem: katello-certs-check should check if the certificates are not expired. Currently when the certificate is expired, the utility marks them as valid, however using such certificates leads to issues with communication between internal components. Version-Release number of selected component (if applicable): 6.2 How reproducible: Use expired certificate and run the katello-certs-check utility on them Actual results: Check will be successful Expected results: Information about invalid certificates will be delivered to the user.
Filed a PR for this here: https://github.com/Katello/katello-installer/pull/488 Added a check for the Certificate and CA separately since they can be created at different times. Valid testing is to use an expired CA + Cert (Or one or the other expired) as well as using a valid CA + Cert.
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/18849 has been resolved.
Created a new CA: % openssl genrsa -out rootCA.key 2048 % openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem Created a new key and csr: % openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr Created a valid signature: % openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.valid.crt -days 100 -sha256 Signature ok subject=C = XX, L = Default City, O = Default Company Ltd, CN = sat63-qa-rhel7-puppet4.kangae.example.com Getting CA Private Key Created an expired signature: % faketime '1 year ago' openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.invalid.crt -days 100 -sha256 Signature ok subject=C = XX, L = Default City, O = Default Company Ltd, CN = sat63-qa-rhel7-puppet4.kangae.example.com Getting CA Private Key Valid certificate validates just fine: % katello-certs-check -c server.valid.crt -k server.key -r server.csr -b ca/rootCA.pem Checking expiration of certificate: [OK] Checking expiration of CA bundle: [OK] Validating the certificate subject= /C=XX/L=Default City/O=Default Company Ltd/CN=sat63-qa-rhel7-puppet4.kangae.example.com Checking to see if the private key matches the certificate: [OK] Checking ca bundle against the cert file: [OK] Checking for non ascii characters[OK] Validation succeeded. Expired certificate raises an error: % katello-certs-check -c server.invalid.crt -k server.key -r server.csr -b ca/rootCA.pem Checking expiration of certificate: [FAIL] The certificate "/root/1419842/server.invalid.crt" already expired on: Nov 17 07:44:36 2016 Checking expiration of CA bundle: [OK] Validating the certificate subject= /C=XX/L=Default City/O=Default Company Ltd/CN=sat63-qa-rhel7-puppet4.kangae.example.com Checking to see if the private key matches the certificate: [OK] Checking ca bundle against the cert file: [OK] Checking for non ascii characters[OK] For comparison, the old (6.2) version would return OK on the same expired cert: % katello-certs-check.62 -c server.invalid.crt -k server.key -r server.csr -b ca/rootCA.pem Validating the certificate subject= /C=XX/L=Default City/O=Default Company Ltd/CN=sat63-qa-rhel7-puppet4.kangae.example.com Check private key matches the certificate: [OK] Check ca bundle verifies the cert file: [OK] Validation succeeded. → VERIFIED
Version Tested: Satellite-6.3 Snap 10
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:0336