1654326 – katello-certs-check gives the wrong output if using certificate with wildcard.

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1654326 - katello-certs-check gives the wrong output if using certificate with wildcard.

Summary: katello-certs-check gives the wrong output if using certificate with wildcard.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Installation
Sub Component:
Version:	6.4
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	6.7.0
Assignee:	Chris Roberts
QA Contact:	Stephen Wadeley
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-11-28 14:31 UTC by Suraj Patil
Modified:	2023-09-07 19:33 UTC (History)
CC List:	8 users (show)
Fixed In Version:	foreman-installer-1.24.1.19-1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-04-14 13:39:19 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
cert-bundle (140.00 KB, application/x-tar) 2020-03-10 19:23 UTC, Chris Roberts	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	25564	0	Normal	Closed	katello-certs-check gives the wrong output if using certificate with wildcard.	2020-11-09 17:18:39 UTC

Description Suraj Patil 2018-11-28 14:31:37 UTC

Description of problem:
If we try to install custom certs on satellite with wildcard i.e CN=*.example.com katello-certs-check gives the wrong output.

katello-certs-check gives the command to generate the capsule certs as below instead of satellite-installer command.

--------------------------------------------------------------------------------------------------------
  To use them inside a NEW $FOREMAN_PROXY, run this command:

      capsule-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY"\
                                   --certs-tar  "~/$FOREMAN_PROXY-certs.tar"\
                                   --server-cert "/customcerts/cert_crt.pem"\
                                   --server-key "/customcerts/cert_key.pem"\
                                   --server-ca-cert "/customcerts/CA_crt.pem"\

  To use them inside an EXISTING $FOREMAN_PROXY, run this command INSTEAD:

      capsule-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY"\
                                   --certs-tar  "~/$FOREMAN_PROXY-certs.tar"\
                                   --server-cert "/customcerts/cert_crt.pem"\
                                   --server-key "/customcerts/cert_key.pem"\
                                   --server-ca-cert "/customcerts/CA_crt.pem"\
                                   --certs-update-server

--------------------------------------------------------------------------------------------------------
This issue was caused because the fix in the following  RFE

[RFE] katello-certs-check to distinguish between Satellite and Capsule
https://projects.theforeman.org/issues/22694



Version-Release number of selected component (if applicable):
satellite6.4

Comment 4 Bryan Kearney 2019-07-18 16:03:42 UTC

Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/25564 has been resolved.

Comment 5 Stephen Wadeley 2019-11-19 16:12:04 UTC

See also

Bug 1758181 - katello-certs-check does not support wildcard certificates

Bug 1658360 - katello-certs-check is not showing satellite-installer command if wildcard SSL certificate is used.

Comment 12 Bryan Kearney 2019-11-25 21:03:46 UTC

Upstream bug assigned to supatil

Comment 18 Chris Roberts 2020-03-10 19:23:04 UTC

Created attachment 1669054 [details]
cert-bundle

Comment 22 Stephen Wadeley 2020-03-16 14:08:10 UTC

Hello

Testing with latest snap

[root@sat-6-7-qa-rhel7 ~]# rpm -q satellite
satellite-6.7.0-6.el7sat.noarch

Fixed in version says: foreman-installer-1.24.1.19-1

I have: 
[root@sat-6-7-qa-rhel7 ~]# rpm -q foreman-installer
foreman-installer-1.24.1.20-1.el7sat.noarch


Create CA
--------------

[root@sat-6-7-qa-rhel7 ~]# git clone https://github.com/iNecas/ownca.git
Cloning into 'ownca'...

[root@sat-6-7-qa-rhel7 ~]# cd ownca/
[root@sat-6-7-qa-rhel7 ownca]# ./generate-ca.sh 
Generating a 2048 bit RSA private key
.................................................................+++
..........................................+++
writing new private key to 'private/cakey.crt'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Organization Name (company) [My Company]:
Organizational Unit Name (department, division) []:
Email Address []:
Locality Name (city, district) [My Town]:
State or Province Name (full name) [State or Providence]:
Country Name (2 letter code) [US]:
Common Name (hostname, IP, or your name) []:
[root@sat-6-7-qa-rhel7 ownca]#


Generate the certificate with wildcard in host name portion of FQDN
---------------------------------------------------------------------------

[root@sat-6-7-qa-rhel7 ownca]# ./generate-crt.sh "*.example.com"
Generating a 2048 bit RSA private key
..+++
...............+++
writing new private key to './*.example.com/*.example.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Organization Name (company) [My Company]:Organizational Unit Name (department, division) []:Email Address []:Locality Name (city, district) [My Town]:State or Province Name (full name) [State or Providence]:Country Name (2 letter code) [US]:Common Name (hostname, IP, or your name) []:Using configuration from ./openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
organizationName      :PRINTABLE:'My Company'
localityName          :PRINTABLE:'My Town'
stateOrProvinceName   :PRINTABLE:'State or Providence'
countryName           :PRINTABLE:'US'
commonName            :T61STRING:'*.example.com'
Certificate is to be certified until Mar 16 13:47:38 2021 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@sat-6-7-qa-rhel7 ownca]# 

Copy CA cert to server certs directory
----------------------------------------

[root@sat-6-7-qa-rhel7 ownca]# cp cacert.crt \*.example.com/

[root@sat-6-7-qa-rhel7 ownca]# cd \*.example.com/
[root@sat-6-7-qa-rhel7 *.example.com]# ls
cacert.crt  *.example.com.crt  *.example.com.crt.req  *.example.com.key
[root@sat-6-7-qa-rhel7 *.example.com]# 

Check that the wildcard name is in the cert:
-----------------------------------------------

[root@sat-6-7-qa-rhel7 *.example.com]# openssl x509 -text -in \*.example.com.crt -noout | grep -B1 DNS
            X509v3 Subject Alternative Name: 
                DNS:*.example.com


Check the certificate with katello-certs-check
-----------------------------------------------

[root@sat-6-7-qa-rhel7 *.example.com]# katello-certs-check -c *.example.com.crt -k *.example.com.key -b cacert.crt
Checking server certificate encoding: 
[OK]

Checking expiration of certificate: 
[OK]

Checking expiration of CA bundle: 
[OK]

Checking if server certificate has CA:TRUE flag 
[OK]

Checking for private key passphrase: 
[OK]

Checking to see if the private key matches the certificate: 
[OK]

Checking CA bundle against the certificate file: 
[OK]

Checking CA bundle size: 
[OK]

Checking Subject Alt Name on certificate 
[OK]

Checking Key Usage extension on certificate for Key Encipherment 
[OK]

Validation succeeded


To install the Red Hat Satellite Server with custom certificates, run:

    satellite-installer --scenario satellite \
                      --certs-server-cert "/root/ownca/*.example.com/*.example.com.crt" \
                      --certs-server-key "/root/ownca/*.example.com/*.example.com.key" \
                      --certs-server-ca-cert "/root/ownca/*.example.com/cacert.crt"

To update the certificates on a currently running Red Hat Satellite installation, run:

    satellite-installer --scenario satellite \
                      --certs-server-cert "/root/ownca/*.example.com/*.example.com.crt" \
                      --certs-server-key "/root/ownca/*.example.com/*.example.com.key" \
                      --certs-server-ca-cert "/root/ownca/*.example.com/cacert.crt" \
                      --certs-update-server --certs-update-server-ca

To use them inside a NEW $CAPSULE, rerun this command with -t capsule
[root@sat-6-7-qa-rhel7 *.example.com]# 


OK, command output on last line looks better now:

To use them inside a NEW $CAPSULE, rerun this command with -t capsule

Thank you

Comment 23 Bryan Kearney 2020-04-14 13:39:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1454

Note You need to log in before you can comment on or make changes to this bug.