1803027 – RHEL8 clients with FUTURE policy get error EE certificate key too weak

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1803027 - RHEL8 clients with FUTURE policy get error EE certificate key too weak

Summary: RHEL8 clients with FUTURE policy get error EE certificate key too weak

Keywords:
Status:	CLOSED DEFERRED
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Registration
Sub Component:
Version:	6.6.0
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high with 4 votes
Target Milestone:	Unspecified
Assignee:	satellite6-bugs
QA Contact:	Stephen Wadeley
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-02-14 10:55 UTC by Kenny Tordeurs
Modified:	2024-03-25 15:41 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Known Issue
Doc Text:	Cause: Only new installations of Red Hat Satellite 6.8 and later will generate 4096-bit certificates. Upgrading from Red Hat Satellite 6.7, which generated 2048-bit RSA certificates, will not update the certificates to 4096-bit Consequence: RHEL8 Clients that have the crypto policy set to FUTURE cannot perform yum actions. Workaround (if any): https://access.redhat.com/solutions/5393241 Red Hat Enterprise Linux 8 clients with FUTURE policy get error: EE certificate key too weak Result: Customers upgrading from Satellite 6.7 and wanting to use RHEL8 Clients that have the crypto policy set to FUTURE must follow the solution.
Clone Of:
Environment:
Last Closed:	2020-09-11 21:01:15 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	5393241	0	None	None	None	2020-09-11 21:02:45 UTC

Description Kenny Tordeurs 2020-02-14 10:55:33 UTC

Description of problem:
RHEL8 Clients that have the crypto policy set to FUTURE cannot perform yum actions because the Certificate that is currently available is considered too weak for the FUTURE crypto policy.

Version-Release number of selected component (if applicable):
Satellite 6.6
RHEL8

How reproducible:
100%

Steps to Reproduce:
- Register RHEL8 client to Satellite
- update-crypto-policies --set FUTURE
- Try yum command

Actual results:
# yum repolist -v
~~~
Loaded plugins: builddep, changelog, config-manager, copr, debug, debuginfo-install, download, generate_completion_cache, needs-restarting, playground, product-id, repoclosure, repodiff, repograph, repomanage, reposync, subscription-manager, uploadprofile
Updating Subscription Management repositories.

DNF version: 4.2.7
cachedir: /var/cache/dnf
error: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://ktordeur-sat65.sysmgmt.lan/pulp/repos/Default_Organization/Library/RHEL8/content/dist/rhel8/8/x86_64/appstream/os/repodata/repomd.xml [SSL certificate problem: EE certificate key too weak] (https://ktordeur-sat65.sysmgmt.lan/pulp/repos/Default_Organization/Library/RHEL8/content/dist/rhel8/8/x86_64/appstream/os/repodata/repomd.xml).
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                                                                                                                                                      0.0  B/s |   0  B     00:00    
Cannot download 'https://ktordeur-sat65.sysmgmt.lan/pulp/repos/Default_Organization/Library/RHEL8/content/dist/rhel8/8/x86_64/appstream/os': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried.
Failed to download metadata for repo 'rhel-8-for-x86_64-appstream-rpms'
Error: Failed to download metadata for repo 'rhel-8-for-x86_64-appstream-rpms'
~~~

Expected results:
No errors

Additional info:
This is explained in:
https://access.redhat.com/solutions/4740591
https://access.redhat.com/articles/3666211

Comment 3 Susana Mozo Weisz 2020-03-30 09:27:38 UTC

Hi,

Customer is asking for a tentative release date. Please, could you give me some information?

Best regards

Susana

Comment 4 John B 2020-04-06 13:01:54 UTC

Also very interested in the timing of the fix, or proposed workaround.  Thank you.

Comment 5 Susana Mozo Weisz 2020-04-16 10:12:01 UTC

Hello,

Any news? Customer is asking.


Best regards

Susana

Comment 9 Jeremy Lenz 2020-08-19 14:31:18 UTC

Hi all,

Our team is now actively working on a solution for this.  Stay tuned!

Comment 10 Jeremy Lenz 2020-09-11 20:16:16 UTC

Please see the new KB doc created to address this issue: https://access.redhat.com/solutions/5393241

Comment 11 Jeremy Lenz 2020-09-11 21:01:15 UTC

In a future (no pun intended) version of Satellite, perhaps we can provide an easier, more automated solution.  Until then, performing the steps in the linked KB doc should resolve the issue.

Note You need to log in before you can comment on or make changes to this bug.