Bug #12265
Installing custom SSL using katello-installer causes system to become unusable
Description
Description:
Running katello-installer --certs-server-cert ~/ssl/katello.tld.crt --certs-server-cert-req ~/ssl/katello.tld.csr --certs-server-key ~/ssl/katello.tld.key --certs-server-ca-cert ~/ssl/CABundle.pem --certs-update-server --certs-update-server-ca renders Foreman and crane unusable because of unrelated CA in cert chain.
Steps to Reproduce:
1. (Probably) Install katello as usual with no external SSL certificates;
2. Run katello-installer --certs-server-cert ~/ssl/katello.tld.crt --certs-server-cert-req ~/ssl/katello.tld.csr --certs-server-key ~/ssl/katello.tld.key --certs-server-ca-cert ~/ssl/CABundle.pem --certs-update-server --certs-update-server-ca
3. Run openssl s_client -connect katello.tld:443 from external system.
Actual results:CONNECTED(00000003)
depth=0 C = RU, L = ***, O = ***, OU = ***, CN = katello.tld, emailAddress = ***
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = RU, L = ***, O = ***, OU = ***, CN = katello.tld, emailAddress = ***
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = RU, L = ***, O = ***, OU = ***, CN = katello.tld, emailAddress = ***
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=RU/L=***/O=***/OU=***/CN=katello.tld/emailAddress=***
i:/C=RU/DC=ru/... and so on (subCA info data)
1 s:/C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=katello.tld
i:/C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=katello.tld
Expected results:
[..]Certificate chain
0 s:/C=RU/L=***/O=***/OU=***/CN=katello.tld/emailAddress=***
i:/C=RU/DC=ru/... and so on (subCA info data)
1 s:/C=RU/DC=ru/... and so on (subCA info data)
i:/C=RU/DC=ru/... and so on (CA info data)
2 s:/C=RU/DC=ru/... and so on (CA info data)
i:/C=RU/DC=ru/... and so on (CA info data)
Additional info:
Wrong certificate in chain comes from /etc/pki/katello/certs/katello-default-ca.crt, it was added in 03-crane.conf and 05-foreman-ssl.conf as SSLCertificateChainFile and SSLCACertificateFile.
Related issues
History
#1
Updated by Vladimir Stackov over 3 years ago
Updated by Packages:
rubygem-hammer_cli_katello-0.0.17-2.el7.noarch
katello-selinux-2.2.1-1.el7.noarch
katello-default-ca-1.0-1.noarch
katello-service-2.3.0-6.el7.noarch
katello-2.3.0-6.el7.noarch
katello-certs-tools-2.3.0-4.el7.noarch
katello-installer-2.3.1-6.el7.noarch
katello-common-2.3.0-6.el7.noarch
katello-server-ca-1.0-15.noarch
katello-agent-2.3.1-4.el7.noarch
katello-installer-base-2.3.1-6.el7.noarch
ruby193-rubygem-katello-2.3.1-2.el7.noarch
pulp-katello-0.4-2.el7.noarch
katello-debug-2.3.0-6.el7.noarch
#2
Updated by Eric Helms over 3 years ago
Updated by - Legacy Backlogs Release (now unused) set to 70
- Triaged changed from No to Yes
#3
Updated by Justin Sherrill over 3 years ago
Updated by - Legacy Backlogs Release (now unused) changed from 70 to 86
#4
Updated by Eric Helms about 3 years ago
- Legacy Backlogs Release (now unused) changed from 86 to 144
#5
Updated by Eric Helms almost 3 years ago
- Legacy Backlogs Release (now unused) changed from 144 to 168
#6
Updated by Eric Helms almost 3 years ago
- Legacy Backlogs Release (now unused) changed from 168 to 143
#7
Updated by Justin Sherrill almost 3 years ago
- Is duplicate of Bug #15507: Katello 3.0.1 installation fails - Crane: Failed to configure CA certificate chain! added
#8
Updated by Justin Sherrill almost 3 years ago
- Status changed from New to Duplicate
- Legacy Backlogs Release (now unused) changed from 143 to 171
#9
Updated by Eric Helms over 2 years ago
- Legacy Backlogs Release (now unused) changed from 171 to 162