Bug 1951662 - The Artemis client certificate is not updated in truststore if it changes
Summary: The Artemis client certificate is not updated in truststore if it changes
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Installer
Version: 6.9.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium vote
Target Milestone: 6.9.2
Assignee: Eric Helms
QA Contact: Devendra Singh
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-04-20 16:53 UTC by Eric Helms
Modified: 2021-06-20 12:38 UTC (History)
9 users (show)

Fixed In Version: foreman-installer-2.3.1.13-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-05-20 18:05:30 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 31574 0 Normal Ready For Testing The Artemis client certificate is not updated in truststore if it changes 2021-04-20 16:53:50 UTC
Red Hat Knowledge Base (Solution) 6027421 0 None None None 2021-05-10 10:17:26 UTC
Red Hat Product Errata RHBA-2021:2074 0 None None None 2021-05-20 18:05:40 UTC

Description Eric Helms 2021-04-20 16:53:49 UTC
The java-client cert and key in /etc/pki/katello are correctly updated, and are a valid pair =>

[root@dhcp-2-190 certs]# openssl x509 -noout -modulus -in java-client.crt  | openssl md5
(stdin)= d74483a4ae79b6b2a6ea09afe1b21095
[root@dhcp-2-190 certs]# openssl rsa -noout -modulus -in ../private/java-client.key | openssl md5
(stdin)= d74483a4ae79b6b2a6ea09afe1b21095

However, candlepin's truststore doesn't know about the new java-client.crt (called 'artemis-client' in the store) =>

[root@dhcp-2-190 certs]# keytool -list -keystore truststore
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 2 entries

artemis-client, Dec 10, 2020, trustedCertEntry,
Certificate fingerprint (SHA1): 17:91:F0:47:4C:18:8B:19:57:49:D3:4C:1E:05:38:D9:59:66:82:3B

Compare that fingerprint to /etc/pki/katello/certs/java-client.crt =>

[root@dhcp-2-190 certs]# openssl x509 -noout -fingerprint -sha1 -inform pem -in java-client.crt
SHA1 Fingerprint=2C:E3:3C:D1:B3:A5:01:EF:B7:5E:00:5D:6B:87:DF:6B:CA:28:A3:56

They should match, but don't

Comment 1 Eric Helms 2021-04-20 16:53:53 UTC
Created from redmine issue https://projects.theforeman.org/issues/31574

Comment 2 Eric Helms 2021-04-20 16:53:55 UTC
Upstream bug assigned to ehelms

Comment 3 Stephen Wadeley 2021-04-20 18:26:22 UTC
Hello

We hit this in Pulp3 migration, the workaround:
rm -rf /etc/candlepin/certs/truststore && foreman-installer

Comment 4 Bryan Kearney 2021-04-21 20:01:32 UTC
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/31574 has been resolved.

Comment 10 Devendra Singh 2021-05-07 05:10:45 UTC
Verified on 6.9.2 Snap2.

Verification points:

1- Generate the new certificate using the satellite-installer 

satellite-installer  --certs-update-all
2021-05-07 00:57:04 [NOTICE] [root] Loading default values from puppet modules...
2021-05-07 00:57:10 [NOTICE] [root] ... finished
2021-05-07 00:57:13 [NOTICE] [root] Running validation checks
Package versions are locked. Continuing with unlock.
2021-05-07 00:57:24 [NOTICE] [configure] Starting system configuration.
  The total number of configuration tasks may increase during the run.
  Observe logs or specify --verbose-log-level to see individual configuration tasks.
2021-05-07 00:57:39 [NOTICE] [configure] 100 out of 2363 done.
2021-05-07 01:00:09 [NOTICE] [configure] System configuration has finished.
  Success!


2- Checked the certificate at /root/ssl-build/${hostname} location.
# ls -l /root/ssl-build/xyz.com|wc -l
58

3- Remove the certificate from /root/ssl-build/${hostname} and run the installer again and found the certificate updated successfully at  /root/ssl-build/${hostname} location.

# rm -rf /root/ssl-build/xyz.com

# satellite-installer  --certs-update-all 
2021-05-07 01:02:08 [NOTICE] [root] Loading default values from puppet modules...
2021-05-07 01:02:14 [NOTICE] [root] ... finished
2021-05-07 01:02:17 [NOTICE] [root] Running validation checks
Package versions are locked. Continuing with unlock.
2021-05-07 01:02:27 [NOTICE] [configure] Starting system configuration.
  The total number of configuration tasks may increase during the run.
  Observe logs or specify --verbose-log-level to see individual configuration tasks.
2021-05-07 01:02:43 [NOTICE] [configure] 100 out of 2363 done.
....
2021-05-07 01:05:09 [NOTICE] [configure] 3200 out of 3223 done.
2021-05-07 01:05:13 [NOTICE] [configure] System configuration has finished.
  Success!

# ls -l /root/ssl-build/xyz.com|wc -l
58

4- Verified the fixed package 

# rpm -qa|grep foreman-installer-2.3.1.13-1
foreman-installer-2.3.1.13-1.el7sat.noarch

Comment 11 Eric Helms 2021-05-07 13:08:17 UTC
I think the only part you are missing is either verification of the truststore or if you want to verify Satellite behavior, hitting the ping API and verifying all services are happy.

Comment 12 Devendra Singh 2021-05-07 16:25:28 UTC
(In reply to Eric Helms from comment #11)
> I think the only part you are missing is either verification of the
> truststore or if you want to verify Satellite behavior, hitting the ping API
> and verifying all services are happy.

Checked candlepin services after the certificate updates and it works fine.

# hammer ping
database:         
    Status:          ok
    Server Response: Duration: 0ms
candlepin:        
    Status:          ok
    Server Response: Duration: 345ms
candlepin_events: 
    Status:          ok
    message:         3 Processed, 0 Failed
    Server Response: Duration: 0ms
candlepin_auth:   
    Status:          ok
    Server Response: Duration: 41ms
katello_events:   
    Status:          ok
    message:         0 Processed, 0 Failed
    Server Response: Duration: 0ms
pulp:             
    Status:          ok
    Server Response: Duration: 279ms
pulp_auth:        
    Status:          ok
    Server Response: Duration: 147ms
foreman_tasks:    
    Status:          ok
    Server Response: Duration: 5ms

Comment 21 errata-xmlrpc 2021-05-20 18:05:30 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Satellite 6.9.2 Async Bug Fix Update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2074


Note You need to log in before you can comment on or make changes to this bug.