Bug 800093
| Summary: | CRL preventing repository access - Client certificate did not match the global repo auth CA certificate | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | James Laska <jlaska> |
| Component: | Content Management | Assignee: | Mike McCune <mmccune> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Og Maciel <omaciel> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.0.0 | CC: | bkearney, cpelland, ftaylor, jmatthew, jturner, mmccune, omaciel, scollier |
| Target Milestone: | Unspecified | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-08-22 18:30:22 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
James Laska
2012-03-05 17:56:25 UTC
The cause of the CRL not working was the lack of "CRL Sign" under "X509v3 Key Usage".
Example:
X509v3 Key Usage:
Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
Change is here:
$ git diff
diff --git a/certs-tools/certs/sslToolConfig.py b/certs-tools/certs/sslToolConfig.py
index a8ae8e1..0c31f51 100644
--- a/certs-tools/certs/sslToolConfig.py
+++ b/certs-tools/certs/sslToolConfig.py
@@ -368,9 +368,9 @@ x509_extensions = req_ca_x509_extensions
[ req_ca_x509_extensions ]
basicConstraints = CA:true
-keyUsage = digitalSignature, keyEncipherment, keyCertSign
+keyUsage = digitalSignature, keyEncipherment, keyCertSign, cRLSign
extendedKeyUsage = serverAuth, clientAuth
-nsCertType = server
+nsCertType = server, sslCA
# PKIX recommendations harmless if included in all certificates.
nsComment = "Katello SSL Tool Generated Certificate"
subjectKeyIdentifier = hash
With above change:
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Netscape Cert Type:
SSL Server, SSL CA
Netscape Comment:
Katello SSL Tool Generated Certificate
X509v3 Subject Key Identifier:
97:304:FD:618:C0:23:F2:7B:9A:ED:B16:7F:B2:55:97:BA:40
X509v3 Authority Key Identifier:
keyid:97:304:FD:618:C0:23:F2:7B:9A:ED:B16:7F:B2:55:97:BA:40
DirName:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat/OU=Cloud BU/CN=beta.lan
serial:81:16:C6:95:B6:39:67:52
Without change:
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Digital Signature, Key Encipherment, Certificate Sign
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Netscape Cert Type:
SSL Server
Netscape Comment:
Katello SSL Tool Generated Certificate
X509v3 Subject Key Identifier:
E5:43:F7:80:B0:6A:69:EA:0F:73:E08:771:09:01:70:AF:83:FE
X509v3 Authority Key Identifier:
keyid:E5:43:F7:80:B0:6A:69:EA:0F:73:E08:771:09:01:70:AF:83:FE
DirName:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat/OU=Cloud BU/CN=beta.lan
serial:B1:4A:85:8B:45:ED:3D:65
For background, this is the command I ran after patching the sslToolConfig.py to examine what the new ca would look like.
katello-ssl-tool --gen-ca -p "$(cat /etc/katello/candlepin_ca_password-file)" --set-country 'US' --set-state 'North Carolina' --set-city 'Raleigh' --set-org 'Red Hat' --set-org-unit 'Cloud BU' --set-common-name `hostname` --set-email '' --ca-key 'candlepin-cert.key' --ca-cert 'candlepin-cert.crt' --ca-cert-rpm 'katello-candlepin-cert-key-pair' -vvv --force
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Due to a bug in how certificates are constructed during System Engine configuration, the certificate restriction list (CRL) blocks all katello-hosted repository access. This issue will be resolved in a future katello update. In the meantime, to work around this problem, you can disable CRL support entirely using the following commands:
$ CRL_HASH=$(openssl x509 -subject_hash -in
/etc/candlepin/certs/candlepin-ca.crt | head -n1)
$ mv /etc/pki/pulp/content/${CRL_HASH}.r0
/etc/pki/pulp/content/DISABLED_${CRL_HASH}.r0
Fixed in katello-certs-tools-1.0.4-1 and above Validated: * candlepin-0.5.24-1.el6.noarch * candlepin-tomcat6-0.5.24-1.el6.noarch * katello-0.1.303-1.el6.noarch * katello-all-0.1.303-1.el6.noarch * katello-candlepin-cert-key-pair-1.0-1.noarch * katello-certs-tools-1.0.4-1.el6.noarch * katello-cli-0.1.102-1.el6.noarch * katello-cli-common-0.1.102-1.el6.noarch * katello-common-0.1.303-1.el6.noarch * katello-configure-0.1.104-1.el6.noarch * katello-glue-candlepin-0.1.303-1.el6.noarch * katello-glue-foreman-0.1.303-1.el6.noarch * katello-glue-pulp-0.1.303-1.el6.noarch * katello-qpid-broker-key-pair-1.0-1.noarch * katello-qpid-client-key-pair-1.0-1.noarch * katello-selinux-0.1.8-1.el6.noarch * pulp-1.0.0-4.el6.noarch * pulp-common-1.0.0-4.el6.noarch * pulp-selinux-server-1.0.0-4.el6.noarch Removing technical note and requires_release_note? flag. This issue has been fixed and requires *no* any release notes. Deleted Technical Notes Contents.
Old Contents:
Due to a bug in how certificates are constructed during System Engine configuration, the certificate restriction list (CRL) blocks all katello-hosted repository access. This issue will be resolved in a future katello update. In the meantime, to work around this problem, you can disable CRL support entirely using the following commands:
$ CRL_HASH=$(openssl x509 -subject_hash -in
/etc/candlepin/certs/candlepin-ca.crt | head -n1)
$ mv /etc/pki/pulp/content/${CRL_HASH}.r0
/etc/pki/pulp/content/DISABLED_${CRL_HASH}.r0
|