Bug 1463018 - katello-certs-check does not verify server's certificate is PEM encoded
katello-certs-check does not verify server's certificate is PEM encoded
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Installer (Show other bugs)
Unspecified Unspecified
medium Severity medium (vote)
: Unspecified
: --
Assigned To: Russell Dickenson
Katello QA List
: Triaged
Depends On:
  Show dependency treegraph
Reported: 2017-06-19 19:47 EDT by Russell Dickenson
Modified: 2018-03-15 20:50 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2018-03-15 20:50:41 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Russell Dickenson 2017-06-19 19:47:38 EDT
Description of problem: The Bash script `katello-certs-check` does not verify server's certificate is PEM encoded, resulting in failure to install the certificate.

Version-Release number of selected component (if applicable): 6.2.9

How reproducible: Every time.

Steps to Reproduce:
1. Generate an SSL certificate for the Satellite Server.
2. Convert it into DER format.
3. Install the certificate (in DER encoding) in Satellite.

Actual results: Instances of the following errors appear in log file /var/log/foreman-proxy/proxy.log:
OpenSSL::SSL:SSLError: SSL_accept returned=1 errno=0 state=SSLv3 read client certificate A: tlsv1 alert unknown ca

Expected results: The custom SSL certificate is installed successfully.

Additional info: This BZ ticket was raised as a result of customer case 01864075.
Comment 1 Russell Dickenson 2017-06-19 19:52:10 EDT
Foreman issue: http://projects.theforeman.org/issues/20054
Comment 2 Russell Dickenson 2017-06-19 19:54:50 EDT
I believe *ALL* certificates used in the process of installing a custom SSL certificate must be PEM encoded, including that provided by the CA. Instead of trying to resolve both issues in the one BZ ticket, and Redmine issue, I have kept the scope of this BZ ticket to ONLY the server's certificate.

Note You need to log in before you can comment on or make changes to this bug.