Bug 1460599 - please obtain the Katello CA securely
please obtain the Katello CA securely
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Docs API Guide (Show other bugs)
Unspecified Unspecified
medium Severity medium (vote)
: 6.2.11
: 6.2
Assigned To: Sergei Petrosian
Russell Dickenson
Depends On:
  Show dependency treegraph
Reported: 2017-06-12 03:16 EDT by Evgeni Golov
Modified: 2017-06-16 05:58 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-06-16 05:58:09 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Evgeni Golov 2017-06-12 03:16:59 EDT
Document URL:

Section Number and Name: 
3.1. Using SSL Authentication

Describe the issue:
The section currently suggests to fetch katello-server-ca.crt from the Satellite using an unencrypted and unsecured HTTP connection. Doing so permits an attacker to serve whatever CA certificate they want and then hijack the encrypted sessions too.

Suggestions for improvement: 
Given this is a chicken-and-egg problem, I would suggest obtaining the CA certificate via SSH instead. Or if the curl commands are executed directly on the Satellite, use the locally available copy (/var/www/html/pub/katello-server-ca.crt aka /etc/pki/katello/certs/katello-server-ca.crt).

Fetching the cert via HTTP should be the last resort and marked with a security warning.

Additional information: 
Why are we fetching the cert using wget, and then using curl though the rest of the guide? curl can fetch stuff fine too (curl -O) :)
Comment 1 Andrew Dahms 2017-06-12 04:31:51 EDT
Assigning to Sergei for review.

Sergei - it looks like we'll need to do three things here:

1. Add an example of how to retrieve the certificate using SSH (scp <user>@<
   address>:/var/www/html/pub/katello-server-ca.crt <destination>

2. Add an example of how to retrieve the certificate using curl, and 
   mentioning that this method is ok when run directly on the Satellite Server

3. Add a 'Warning' admonition to the example of using 'wget' to outline the 
   issue about security.

The first step in the procedure should therefore be a single step with three step alternatives ('To download the certificate using SSH:', etc.)

Let me know if you have any questions!
Comment 18 Sergei Petrosian 2017-06-16 05:58:09 EDT
These changes are now live on the Custom Portal.

Thank you

Note You need to log in before you can comment on or make changes to this bug.