Bug 1887504 - katello-certs-check doesn't validate if there is a SAN that matches the Subject CN in custom certificates
Summary: katello-certs-check doesn't validate if there is a SAN that matches the Subje...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Installation
Version: 6.7.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: 6.9.0
Assignee: wclark
QA Contact: Devendra Singh
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-10-12 16:03 UTC by Joniel Pasqualetto
Modified: 2021-04-21 13:18 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-04-21 13:18:20 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 31051 0 Normal Closed katello-certs-check don't validate if there is a SAN that matches the Subject CN in custom certificates 2021-01-28 00:52:29 UTC
Github theforeman foreman-installer pull 590 0 None closed Fixes #31051 - Add verification to check if SAN entries match Subject CN on certificate 2021-01-28 00:52:30 UTC
Red Hat Product Errata RHSA-2021:1313 0 None None None 2021-04-21 13:18:38 UTC

Description Joniel Pasqualetto 2020-10-12 16:03:55 UTC
Description of problem:

katello-certs-check validates if a custom certificate contains at least a Subject Alt Name, but it never cross check if this SAN matches the Subject CN of the provided certificate.

This can be misleading in a few cases. Here's a few I already saw happen:

1. SAN not containing the Subject CN at all (only other aliases)
2. A typo in the SAN

Both cases will pass the katello-cert-check validation but will fail to deploy.

Version-Release number of selected component (if applicable):


How reproducible: Always


Steps to Reproduce:
1. Create a certificate with a typo in the SAN
2. Run katello-certs-check to verify it
3. Try deploying that cert on Satellite and it will fail

Actual results:
Validation with katello-certs-check passes without error or warning, but satellite-installer will fail to run with such certificate.

Expected results:
Validation should point out an issue with the certificate.

Additional info:

Comment 1 Bryan Kearney 2020-10-30 20:06:18 UTC
Upstream bug assigned to wclark

Comment 2 Bryan Kearney 2020-10-30 20:06:19 UTC
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/31051 has been resolved.

Comment 3 Brad Buckingham 2020-11-13 19:46:59 UTC
Fix is in Satellite 6.9 SNAP 1.

Comment 4 Devendra Singh 2020-12-02 10:17:27 UTC
Verified on 6.9.0 Snap3.

Verification steps:

1. #echo 100001 > serial

2. # bash generate-ca.sh
Generating a 2048 bit RSA private key
.................................+++
.............................+++
writing new private key to 'private/cakey.crt'


3. # bash generate-crt.sh xyz.com
..
Generating a 2048 bit RSA private key
.........................+++
.......................................................................................+++
writing new private key to './xyz.com/xyz.com.key'
-----
Using configuration from ./openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
organizationName      :PRINTABLE:'My Company'
organizationalUnitName:PRINTABLE:'My Org'
.......
......
countryName           :PRINTABLE:'US'
commonName            :PRINTABLE:'Fake CA'
.........
.........
The matching entry has the following details
Type          :Valid
Expires on    :211202090241Z
Serial Number :100001
File name     :unknown
Subject Name  :/C=US/ST=My State/O=My Company/OU=My Org/CN=Fake CA

Comment 7 errata-xmlrpc 2021-04-21 13:18:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.9 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1313


Note You need to log in before you can comment on or make changes to this bug.