Description of problem: OSA-Dispatcher service fails to verify signed SSL certificate from CA when the certificate enables the x509v3 Key Usage extension with the following options: critical Digital Signature Key Encipherment If we were to add Certificate Sign to the Key Usage extenions everything will work as expected. This is an issue as the Certificate Sign is for CA certificates only to allow for Certificate signing based on the RFC 5280 (http://www.ietf.org/rfc/rfc5280.txt) Version-Release number of selected component (if applicable): 1.2, 1.3, and I think 1.4(unable to test at this time) How reproducible: Generate SSL certificate with the Key Usage extension with the 3 options noted above. Steps to Reproduce: 1.Generate SSL certificate with the KEy Usage extenion with critical, Digital Signature, Key Encipherment cd /root cat /dev/null > /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT openssl x509 -in <Location of file>server.crt -text >> /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT /bin/cp -f <Location of file>server.key /root/ssl-build/RHN-ORG-PRIVATE-SSL-KEY openssl x509 -in <Location of file>server.crt -text > /root/ssl-build/spacewalkdev/server.crt /bin/cp -f <Location of file>server.key /root/ssl-build/spacewalkdev/server.key /bin/cp -f <Location of file>server.csr /root/ssl-build/spacewalkdev/server.csr rhn-ssl-tool --gen-server --set-hostname=spacewalkdev.intranet.gdg --rpm-only rpm -Fvh ./ssl-build/spacewalkdev/rhn-org-httpd-ssl-key-pair-spacewalkdev-1.0-56.noarch.rpm cat /dev/null > /root/ssl-build/spacewalkdev/server.pem cat <Location of file>server.crt >> /root/ssl-build/spacewalkdev/server.pem cat <Location of file>server.key >> /root/ssl-build/spacewalkdev/server.pem /bin/cp -f /root/ssl-build/spacewalkdev/server.pem /etc/pki/spacewalk/jabberd/server.pem /bin/cp -f /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT spacewalk-service restart Actual results: osa fails to verify SSL certificate. Expected results: Verify SSL certificate.
Any idea as to a resolution for this issue?
Updated to reflect issue is seen in Spacewalk 1.4 as well.
Aligning under space16.
(In reply to comment #0) > Actual results: > osa fails to verify SSL certificate. What's the exact error that you get?
the exact error is as follows: Starting osa-dispatcher: RHN 10059 2011/07/29 09:44:48 -07:00: ('Traceback caught:',) RHN 10059 2011/07/29 09:44:48 -07:00: ('Traceback (most recent call last):\n File "/usr/share/rhn/osad/jabber_lib.py", line 610, in connect\n ssl.do_handshake()\nError: [(\'SSL routines\', \'SSL3_GET_SERVER_CERTIFICATE\', \'certificate verify failed\')]\n',)
Any updates at to the status of this bug report?
Any updates as to the status of this bug report?
If you do diff -u RHN-ORG-TRUSTED-SSL-CERT.old RHN-ORG-TRUSTED-SSL-CERT.new are there any other changes (except for serial number, modulus and the cert hash)? Could you please describe more precisely how did you generate cert in the step 1.Generate SSL certificate with the KEy Usage extenion with critical, Digital Signature, Key Encipherment ? Thanks.
The Key Usage has the extra extensions added to it. To generate the certs I use openssl and pass it a custom openssl.conf file with the following in this file. keyUsage=critical, digitalSignature, keyEncipherment That is all that I am doing different.
I cannot reproduce the problem on RHEL 6 with # rpm -q openssl jabberd osa-dispatcher openssl-1.0.0-20.el6.x86_64 jabberd-2.2.14-1.el6.x86_64 osa-dispatcher-5.10.35-1.el6.noarch The standard spacewalk-setup and related tools already now create the jabberd certificate without the Certificate Sign: # openssl x509 -text -in /etc/pki/spacewalk/jabberd/server.pem | grep -A1 Usage X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication # openssl x509 -text -in /etc/httpd/conf/ssl.crt/server.crt | grep -A1 Usage X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication Obviously the CA certificate has Certificate Sign: # openssl x509 -text -in /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT | grep -A1 Usage X509v3 Key Usage: Digital Signature, Key Encipherment, Certificate Sign X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication If I understand it correctly, your situation is different in adding the critical to the key extensions. So I've patched sslToolConfig.py with # diff -u /usr/share/rhn/certs/sslToolConfig.py.orig /usr/share/rhn/certs/sslToolConfig.py --- /usr/share/rhn/certs/sslToolConfig.py.orig 2012-02-10 08:23:43.000000000 -0500 +++ /usr/share/rhn/certs/sslToolConfig.py 2012-02-24 10:08:37.979190846 -0500 @@ -379,7 +379,7 @@ [ req_server_x509_extensions ] basicConstraints = CA:false -keyUsage = digitalSignature, keyEncipherment +keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth nsCertType = server # PKIX recommendations harmless if included in all certificates. @@ -407,7 +407,7 @@ [ req_server_x509_extensions ] basicConstraints = CA:false -keyUsage = digitalSignature, keyEncipherment +keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth nsCertType = server # PKIX recommendations harmless if included in all certificates. and rerun spacewalk-setup. Now I have # openssl x509 -text -in /etc/pki/spacewalk/jabberd/server.pem | grep -A1 Usage X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication # openssl x509 -text -in /etc/httpd/conf/ssl.crt/server.crt | grep -A1 Usage X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication and osa-dispatcher starts just fine: # service osa-dispatcher start Starting osa-dispatcher: [ OK ] # Please clarify if the change you attempt to do to the certificates is the critical marking, or something else. Also, what is the role of that Certificate Sign extension you mention.
In order to allow Spacewalk to accept the certificate when using critical and Digital Signature you need to add the keyEncipherment extension. This keyEncipherment extension is used on CAs to sign certificates. The reason for this bug is that I have a certificate that was generated by a CA that has the Critical and Digital Signature extensions enabled (Which is correct based on RFC5280). This certificate doesn't work with Spacewalk until I add the keyEncipherment which is not correct based on the following RFC. So it appears that Spacewalk is looking for the keyEncipherment extension in combination to critical and Digital Signature. RFC 5280 (http://www.ietf.org/rfc/rfc5280.txt)
I am sorry I think I may have miss read your comment. Seems like the packages you are using are newer than 1.6 install I have in my Dev environment. I am currently in testing with 1.6 so I am unable to upgrade to nightly to see if 1.7 resolves the issue. If you added critical and Digital Signature extension and it works than it might have been resolved. This bug was open with using Spacewalk 1.4.
Also I stated the wrong information in my last post. Seems like I need some more sleep or something. lol I will see if I can test this in 1.6 to see if everything is working as it should. I will post back with my results.
(In reply to comment #11) > In order to allow Spacewalk to accept the certificate when using critical and > Digital Signature you need to add the keyEncipherment extension. This > keyEncipherment extension is used on CAs to sign certificates. No, keyEncipherment is used to encrypts keys. > The reason for > this bug is that I have a certificate that was generated by a CA that has the > Critical and Digital Signature extensions enabled (Which is correct based on > RFC5280). This certificate doesn't work with Spacewalk until I add the > keyEncipherment which is not correct based on the following RFC. So it appears > that Spacewalk is looking for the keyEncipherment extension in combination to > critical and Digital Signature. It's not Spacewalk which would be looking for something. It's the SSL protocol which needs the key encryption.
(In reply to comment #12) > I am sorry I think I may have miss read your comment. Seems like the packages > you are using are newer than 1.6 install I have in my Dev environment. I am > currently in testing with 1.6 so I am unable to upgrade to nightly to see if > 1.7 resolves the issue. If you added critical and Digital Signature extension > and it works than it might have been resolved. This bug was open with using > Spacewalk 1.4. Nothing was added to Spacewalk with respect to the key extensions, ever. It's still the same. Closing as NOTABUG, please reopen if you disagree.
Jan, I am reopening as I may have found the true issue. It is dealing with the RHN-ORG-TRUSTED-SSL-CERT cert. Why does this need Certificate Sign. When I change the RHN-ORG-TRUSTED-SSL-CERT file and add this file to /var/www/html/pub/ I am using my signed certificate that I received from my CA. Is there another place where I need to put my CA certificate? If I try to use my CA certificate (which has Certificate Sign) in place of my signed certificate for the RHN-ORG-TRUSTED-SSL-CERT file it doesn't work either. What are the steps in order to get a signed certificate into Spacewalk and allow osa-dispatcher to work as I am unable to get this working with the current release of osa-dispather (1.6 release not nightly) #rpm -q openssl jabberd osa-dispatcher openssl-0.9.8e-20.el5_7.1.0.1.centos jabberd-2.2.11-3.el5 osa-dispatcher-5.10.34-1.el5
(In reply to comment #16) > Jan, > > I am reopening as I may have found the true issue. It is dealing with the > RHN-ORG-TRUSTED-SSL-CERT cert. Why does this need Certificate Sign. When I Because it's the CA certificate. > change the RHN-ORG-TRUSTED-SSL-CERT file and add this file to > /var/www/html/pub/ I am using my signed certificate that I received from my CA. Which *this* file? The file is in /var/www/html/pub/ only to be easily fetched by kickstarted clients, it's not used for any operations. If you are using signed certificate from your CA, you have to make it possible for for your clients and for osa-dispatcher to verify the certificate. > Is there another place where I need to put my CA certificate? If I try to use Another besides what? By default, the RHN-ORG-TRUSTED-SSL-CERT is in /usr/share/rhn. That's also the location configured for osa-dispatcher in /etc/rhn/rhn.conf. > my CA certificate (which has Certificate Sign) in place of my signed > certificate for the RHN-ORG-TRUSTED-SSL-CERT file it doesn't work either. I'm sorry, I don't understand what you try to do. > What are the steps in order to get a signed certificate into Spacewalk and > allow osa-dispatcher to work as I am unable to get this working with the > current release of osa-dispather (1.6 release not nightly) You put the server certificate to httpd and jabberd directories, and you put the CA certificate to location configured in /etc/rhn/rhn.conf on server and in /etc/sysconfig/rhn/up2date on clients (it's /usr/share/rhn by default). Please use spacewalk-list for other usage questions.
I have contacted spacewalk-list with only one person who provided assistance. They provided the same steps I was using to get a CA signed cert to work with Spacewalk. It seems the issue is with the RHN-ORG-TRUSTED-SSL-CERT. Based on the instructions I am following I put my CA bundle in this file using the following steps. It seems to me that the bug is in the validation of RHN-ORG-TRUSTED-SSL-CERT. If that cert is supposed to be the CA then by public CA cert bundle should work without issue. Due to the fact that it is not I would consider this a bug. # Stop Spacewalk service spacewalk-service stop # Remove jabberd DB rm -f /var/lib/jabberd/db/* # Copy the spacewalk signed Key, CSR, and Crt to /root/swkeys/ # Copy the server certificate details into their build location. # Make sure you change <hostname> to the correct name of the server used to access the Spacewalk web UI. Not the FQDN. openssl x509 -in /root/swkeys/spacewalkdev/spacewalkdev.<removed for security>.crt -text > /root/ssl-build/spacewalkdev/server.crt /bin/cp -f /root/swkeys/spacewalkdev/spacewalkdev.<removed for security>.csr /root/ssl-build/spacewalkdev/server.csr /bin/cp -f /root/swkeys/spacewalkdev/spacewalkdev.<removed for security>.key /root/ssl-build/spacewalkdev/server.key cat /root/ssl-build/spacewalkdev/server.crt /root/ssl-build/spacewalkdev/server.key > /root/ssl-build/spacewalkdev/server.pem # Now change directory into the /root/ directory to build the RPM. cd /root/ # Perform an rpm build to create the SSL rpm package. rhn-ssl-tool --gen-server --set-hostname=spacewalkdev.<removed for security> --rpm-only # Now update the installed package with the lastest version. # Make sure you replace <latest-version> to the latest version found in that directory. rpm -Fvh ./ssl-build/spacewalkdev/rhn-org-httpd-ssl-key-pair-spacewalkdev-<latest-version>.noarch.rpm # Make sure RHN-ORG-Trusted-SSL-CERT has been updated with the correct information. cat /dev/null > /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT openssl x509 -in /root/swkeys/spacewalkdev/CA_bundle.crt -text >> /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT # Perform an rpm build to create the CERT rpm package for clients. rhn-ssl-tool --gen-ca --rpm-only # Copy the newly created SSL-Cert to the /var/www/html/pub directory. /bin/cp -f /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT # /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT is the location set as default in /etc/rhn/rhn.conf I didn't change it. # Once all has been copied and updated start the Spacewalk server. spacewalk-service start After I restart the service I get the error noted above about osa-dispatcher unable to verify cert. The following is what I have for that cert in extensions: X509v3 extensions: X509v3 Subject Key Identifier: Removed X509v3 Authority Key Identifier: keyid:Removed X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 Authority Information Access: OCSP - URI:http://<removed for security> X509v3 CRL Distribution Points: URI:http://<removed for security> X509v3 Certificate Policies: Policy: X509v3 Any Policy CPS: http://<removed for security> X509v3 Key Usage: critical Certificate Sign, CRL Sign Signature Algorithm: sha1WithRSAEncryption
What does # diff /etc/pki/spacewalk/jabberd/server.pem /etc/httpd/conf/ssl.crt/server.crt print? What does # openssl verify -CAfile /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT /etc/pki/spacewalk/jabberd/server.pem show?
Ok, I apologize for wasting everyone's time on this. After running the openssl verify -CAfile command it lead me to the root cause of the issue. For others that may run into this below are the steps I used to get this to work. It seems that by CA bundle how I was adding it to RHN-ORG-TRUSTED-SSL-CERT was the cause of my issues. I was using the openssl text export when I should have just cated the CA bundle directly into RHN-ORG-TRUSTED_SSL-CERT. Doing a cat of the CA bundle directly into the RHN-ORG-TRUSTED-SSL-CERT without making any changes to anything allowed everything to come up and start working.
Thank you for the confirmation. Closing.