Red Hat Bugzilla – Bug 1460599
please obtain the Katello CA securely
Last modified: 2017-06-16 05:58:09 EDT
Section Number and Name:
3.1. Using SSL Authentication
Describe the issue:
The section currently suggests to fetch katello-server-ca.crt from the Satellite using an unencrypted and unsecured HTTP connection. Doing so permits an attacker to serve whatever CA certificate they want and then hijack the encrypted sessions too.
Suggestions for improvement:
Given this is a chicken-and-egg problem, I would suggest obtaining the CA certificate via SSH instead. Or if the curl commands are executed directly on the Satellite, use the locally available copy (/var/www/html/pub/katello-server-ca.crt aka /etc/pki/katello/certs/katello-server-ca.crt).
Fetching the cert via HTTP should be the last resort and marked with a security warning.
Why are we fetching the cert using wget, and then using curl though the rest of the guide? curl can fetch stuff fine too (curl -O) :)
Assigning to Sergei for review.
Sergei - it looks like we'll need to do three things here:
1. Add an example of how to retrieve the certificate using SSH (scp <user>@<
2. Add an example of how to retrieve the certificate using curl, and
mentioning that this method is ok when run directly on the Satellite Server
3. Add a 'Warning' admonition to the example of using 'wget' to outline the
issue about security.
The first step in the procedure should therefore be a single step with three step alternatives ('To download the certificate using SSH:', etc.)
Let me know if you have any questions!
These changes are now live on the Custom Portal.