Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1419842 - katello-certs-check doesn't check expiration date
Summary: katello-certs-check doesn't check expiration date
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Certificates
Version: 6.2.6
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: Unspecified
Assignee: Craig Donnelly
QA Contact: Evgeni Golov
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-07 08:46 UTC by Marcel Gazdík
Modified: 2024-02-28 20:32 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-02-21 16:49:54 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 18849 0 Normal Closed katello-certs-check doesn't check expiration date 2020-06-08 18:37:01 UTC

Description Marcel Gazdík 2017-02-07 08:46:54 UTC
Description of problem:
  katello-certs-check should check if the certificates are not expired. Currently when the certificate is expired, the utility marks them as valid, however using such certificates leads to issues with communication between internal components.

Version-Release number of selected component (if applicable):
6.2

How reproducible:
Use expired certificate and run the katello-certs-check utility on them


Actual results:
  Check will be successful 

Expected results:
  Information about invalid certificates will be delivered to the user.

Comment 2 Craig Donnelly 2017-03-09 03:44:44 UTC
Filed a PR for this here: https://github.com/Katello/katello-installer/pull/488
Added a check for the Certificate and CA separately since they can be created at different times.

Valid testing is to use an expired CA + Cert (Or one or the other expired) as well as using a valid CA + Cert.

Comment 4 Satellite Program 2017-03-11 17:03:05 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/18849 has been resolved.

Comment 5 Evgeni Golov 2017-08-09 08:06:55 UTC
Created a new CA:
% openssl genrsa -out rootCA.key 2048
% openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

Created a new key and csr:
% openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Created a valid signature:
% openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.valid.crt -days 100 -sha256
Signature ok
subject=C = XX, L = Default City, O = Default Company Ltd, CN = sat63-qa-rhel7-puppet4.kangae.example.com
Getting CA Private Key

Created an expired signature:
% faketime '1 year ago' openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.invalid.crt -days 100 -sha256
Signature ok
subject=C = XX, L = Default City, O = Default Company Ltd, CN = sat63-qa-rhel7-puppet4.kangae.example.com
Getting CA Private Key

Valid certificate validates just fine:
% katello-certs-check -c server.valid.crt -k server.key -r server.csr  -b ca/rootCA.pem
Checking expiration of certificate: [OK]
Checking expiration of CA bundle: [OK]
Validating the certificate subject= /C=XX/L=Default City/O=Default Company Ltd/CN=sat63-qa-rhel7-puppet4.kangae.example.com
Checking to see if the private key matches the certificate: [OK]
Checking ca bundle against the cert file: [OK]
Checking for non ascii characters[OK]

Validation succeeded.

Expired certificate raises an error:
% katello-certs-check -c server.invalid.crt -k server.key -r server.csr  -b ca/rootCA.pem
Checking expiration of certificate: [FAIL]
The certificate "/root/1419842/server.invalid.crt" already expired on: Nov 17 07:44:36 2016
Checking expiration of CA bundle: [OK]
Validating the certificate subject= /C=XX/L=Default City/O=Default Company Ltd/CN=sat63-qa-rhel7-puppet4.kangae.example.com
Checking to see if the private key matches the certificate: [OK]
Checking ca bundle against the cert file: [OK]
Checking for non ascii characters[OK]

For comparison, the old (6.2) version would return OK on the same expired cert:
% katello-certs-check.62 -c server.invalid.crt -k server.key -r server.csr  -b ca/rootCA.pem
Validating the certificate subject= /C=XX/L=Default City/O=Default Company Ltd/CN=sat63-qa-rhel7-puppet4.kangae.example.com
Check private key matches the certificate: [OK]
Check ca bundle verifies the cert file: [OK]

Validation succeeded.

→ VERIFIED

Comment 6 Evgeni Golov 2017-08-09 09:24:56 UTC
Version Tested:
Satellite-6.3 Snap 10

Comment 7 Satellite Program 2018-02-21 16:49:54 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.

For information on the advisory, and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0336


Note You need to log in before you can comment on or make changes to this bug.