Bug 1930782 - Registering RHEL 8 host with FUTURE crypto policy to Satellite using 4096 bit certificate signed by 2048 fails with generic CERTIFICATE_VERIFY_FAILED error.
Summary: Registering RHEL 8 host with FUTURE crypto policy to Satellite using 4096 bit...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Certificates
Version: 6.8.0
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: Unspecified
Assignee: Eric Helms
QA Contact: Omkar Khatavkar
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-02-19 14:59 UTC by Jaroslav Krajicek
Modified: 2022-05-03 17:26 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-05-03 17:26:51 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 5921011 0 None None None 2021-03-31 21:39:35 UTC

Description Jaroslav Krajicek 2021-02-19 14:59:49 UTC 
Description of problem:
When using custom certificates on Satellite 6.8,
generating 4096 bit certificate and signing with 2048 bit CA,
katello-certs-check passes and installer applies certificates correctly,
but RHEL hosts with FUTURE policy set are unable to subscribe.

Given the weak signature weakens the cryptographic strength of the chain,
I'd see this as correct behavior, however the error is same as in other instances and it is unclear where the issue originates from.

Version-Release number of selected component (if applicable):
Satellite 6.8

How reproducible:
Consistently

Steps to Reproduce:
1. Generate 4096 bit certificate with OpenSSL
2. Generate request to sign the certificate
3. Sign the certificate with 2048 CA
4. katello-cert-check and install certificate on Satellite
5. Try to register RHEL 8 host with FUTURE crypto policy set

Actual results:
`Unable to verify server's identity: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)`

Expected results:
a) Warning or stopping the Satellite operator during katello-cert-check
b) Having a specific / easy to trace error output on the host during registration

Additional info:
Extracted and modified `ownca` commands can be used for easy reproduction,
using 4096 / 2048 bit keys and operations respectively
Comment 1 Jaroslav Krajicek 2021-02-19 15:32:51 UTC 
Reproduction:

~~~
######################################################################## 100.0%
Generating a 2048 bit RSA private key
.................+++
........+++
writing new private key to 'private/cakey.crt'
-----
Generating RSA private key, 4096 bit long modulus
...................................++
........................................................................................................................................................................................................................................++
e is 65537 (0x10001)
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :ASN.1 12:'State'
localityName          :ASN.1 12:'City'
organizationName      :ASN.1 12:'Organization'
organizationalUnitName:ASN.1 12:'Division'
commonName            :ASN.1 12:'satellite.example.com'
Certificate is to be certified until Feb 19 15:12:03 2022 GMT (365 days)

Write out database with 1 new entries
Data Base Updated
Checking server certificate encoding: 
[OK]

Checking expiration of certificate: 
[OK]

Checking expiration of CA bundle: 
[OK]

Checking if server certificate has CA:TRUE flag 
[OK]

Checking for private key passphrase: 
[OK]

Checking to see if the private key matches the certificate: 
[OK]

Checking CA bundle against the certificate file: 
[OK]

Checking CA bundle size: 
[OK]

Checking Subject Alt Name on certificate 
[OK]

Checking Key Usage extension on certificate for Key Encipherment 
[OK]

Validation succeeded


To install the Red Hat Satellite Server with the custom certificates, run:

    satellite-installer --scenario satellite \
                      --certs-server-cert "/tmp/tmp.MV0JwM63nw/satellite_cert.pem" \
                      --certs-server-key "/tmp/tmp.VdEfT9W0Ou/satellite_cert_key.pem" \
                      --certs-server-ca-cert "/tmp/tmp.MV0JwM63nw/cacert.crt"

To update the certificates on a currently running Red Hat Satellite installation, run:

    satellite-installer --scenario satellite \
                      --certs-server-cert "/tmp/tmp.MV0JwM63nw/satellite_cert.pem" \
                      --certs-server-key "/tmp/tmp.VdEfT9W0Ou/satellite_cert_key.pem" \
                      --certs-server-ca-cert "/tmp/tmp.MV0JwM63nw/cacert.crt" \
                      --certs-update-server --certs-update-server-ca
To use them inside a NEW $CAPSULE, rerun this command with -t capsule
Package versions are locked. Continuing with unlock.
Marking certificate /root/ssl-build/satellite.example.com/satellite.example.com-apache for update
Marking certificate /root/ssl-build/satellite.example.com/satellite.example.com-foreman-proxy for update
Marking certificate /root/ssl-build/katello-server-ca for update
Preparing installation Done                                              
  Success!
  * Satellite is running at https://satellite.example.com

  * To install an additional Capsule on separate machine continue by running:

      capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE" --certs-tar "/root/$CAPSULE-certs.tar"

  * To upgrade an existing 6.7 Capsule to 6.8:
      Please see official documentation for steps and parameters to use when upgrading a 6.7 Capsule to 6.8.

  * Capsule is running at https://satellite.example.com:9090
  The full log is at /var/log/foreman-installer/satellite.log
Package versions are being locked.

[...satellite-installer omitted...]
~~~

~~~
# openssl verify -verbose -CAfile "/tmp/tmp.MV0JwM63nw/cacert.crt" "/tmp/tmp.MV0JwM63nw/satellite_cert.pem"
/tmp/tmp.MV0JwM63nw/satellite_cert.pem: OK
~~~

On RHEL 8 host:
~~~
[~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.3 (Ootpa)

[~]# update-crypto-policies --set FUTURE
Setting system policy to FUTURE
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.

[~]# rpm -e $(rpm -qa 'katello-ca-consumer*'); rpm -Uvh http://satellite.example.com/pub/katello-ca-consumer-latest.noarch.rpm
Retrieving http://satellite.example.com/pub/katello-ca-consumer-latest.noarch.rpm
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:katello-ca-consumer-satellite.exa################################# [100%]

[~]# subscription-manager register --user admin --pass redhat
Registering to: satellite.example.com:443/rhsm
Unable to verify server's identity: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)

[~]# update-crypto-policies --set DEFAULT
Setting system policy to DEFAULT
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.

[~]# subscription-manager register --user admin --pass redhat
Registering to: satellite.example.com:443/rhsm
The system has been registered with ID: 11dbef61-6651-43ff-9faa-67f6ee60d3d3
The registered system name is: host.example.com
~~~
Comment 4 Evgeni Golov 2022-01-25 14:45:18 UTC 
Should katello-certs-check issue an information to the user, that a 2k CA might be insufficient in some cases?
Probably doesn't deserve a warning as it's OK in *most* cases, but not if you have FUTURE-enabled clients?
Comment 7 Eric Helms 2022-05-03 17:26:51 UTC 
As the core of this BZ has been fixed and released already, I am opting to close as current release.
Note You need to log in before you can comment on or make changes to this bug.