Description of problem: katello-certs-check validates if a custom certificate contains at least a Subject Alt Name, but it never cross check if this SAN matches the Subject CN of the provided certificate. This can be misleading in a few cases. Here's a few I already saw happen: 1. SAN not containing the Subject CN at all (only other aliases) 2. A typo in the SAN Both cases will pass the katello-cert-check validation but will fail to deploy. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Create a certificate with a typo in the SAN 2. Run katello-certs-check to verify it 3. Try deploying that cert on Satellite and it will fail Actual results: Validation with katello-certs-check passes without error or warning, but satellite-installer will fail to run with such certificate. Expected results: Validation should point out an issue with the certificate. Additional info:
Upstream bug assigned to wclark
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/31051 has been resolved.
Fix is in Satellite 6.9 SNAP 1.
Verified on 6.9.0 Snap3. Verification steps: 1. #echo 100001 > serial 2. # bash generate-ca.sh Generating a 2048 bit RSA private key .................................+++ .............................+++ writing new private key to 'private/cakey.crt' 3. # bash generate-crt.sh xyz.com .. Generating a 2048 bit RSA private key .........................+++ .......................................................................................+++ writing new private key to './xyz.com/xyz.com.key' ----- Using configuration from ./openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows organizationName :PRINTABLE:'My Company' organizationalUnitName:PRINTABLE:'My Org' ....... ...... countryName :PRINTABLE:'US' commonName :PRINTABLE:'Fake CA' ......... ......... The matching entry has the following details Type :Valid Expires on :211202090241Z Serial Number :100001 File name :unknown Subject Name :/C=US/ST=My State/O=My Company/OU=My Org/CN=Fake CA
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Satellite 6.9 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:1313