Project

General

Profile

Bug #12265

Installing custom SSL using katello-installer causes system to become unusable

Added by Vladimir Stackov over 3 years ago. Updated 11 months ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
Installer
Target version:
Difficulty:
Triaged:
Yes
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Description:

Running katello-installer --certs-server-cert ~/ssl/katello.tld.crt --certs-server-cert-req ~/ssl/katello.tld.csr --certs-server-key ~/ssl/katello.tld.key --certs-server-ca-cert ~/ssl/CABundle.pem --certs-update-server --certs-update-server-ca renders Foreman and crane unusable because of unrelated CA in cert chain.

Steps to Reproduce:
1. (Probably) Install katello as usual with no external SSL certificates;
2. Run katello-installer --certs-server-cert ~/ssl/katello.tld.crt --certs-server-cert-req ~/ssl/katello.tld.csr --certs-server-key ~/ssl/katello.tld.key --certs-server-ca-cert ~/ssl/CABundle.pem --certs-update-server --certs-update-server-ca
3. Run openssl s_client -connect katello.tld:443 from external system.

Actual results:
CONNECTED(00000003)
depth=0 C = RU, L = ***, O = ***, OU = ***, CN = katello.tld, emailAddress = ***
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = RU, L = ***, O = ***, OU = ***, CN = katello.tld, emailAddress = ***
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = RU, L = ***, O = ***, OU = ***, CN = katello.tld, emailAddress = ***
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=RU/L=***/O=***/OU=***/CN=katello.tld/emailAddress=***
i:/C=RU/DC=ru/... and so on (subCA info data)
1 s:/C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=katello.tld
i:/C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=katello.tld

Expected results:
[..]
Certificate chain
0 s:/C=RU/L=***/O=***/OU=***/CN=katello.tld/emailAddress=***
i:/C=RU/DC=ru/... and so on (subCA info data)
1 s:/C=RU/DC=ru/... and so on (subCA info data)
i:/C=RU/DC=ru/... and so on (CA info data)
2 s:/C=RU/DC=ru/... and so on (CA info data)
i:/C=RU/DC=ru/... and so on (CA info data)

Additional info:
Wrong certificate in chain comes from /etc/pki/katello/certs/katello-default-ca.crt, it was added in 03-crane.conf and 05-foreman-ssl.conf as SSLCertificateChainFile and SSLCACertificateFile.


Related issues

Is duplicate of Katello - Bug #15507: Katello 3.0.1 installation fails - Crane: Failed to configure CA certificate chain!Resolved2016-06-23

History

#1 Updated by Vladimir Stackov over 3 years ago

Packages:

rubygem-hammer_cli_katello-0.0.17-2.el7.noarch
katello-selinux-2.2.1-1.el7.noarch
katello-default-ca-1.0-1.noarch
katello-service-2.3.0-6.el7.noarch
katello-2.3.0-6.el7.noarch
katello-certs-tools-2.3.0-4.el7.noarch
katello-installer-2.3.1-6.el7.noarch
katello-common-2.3.0-6.el7.noarch
katello-server-ca-1.0-15.noarch
katello-agent-2.3.1-4.el7.noarch
katello-installer-base-2.3.1-6.el7.noarch
ruby193-rubygem-katello-2.3.1-2.el7.noarch
pulp-katello-0.4-2.el7.noarch
katello-debug-2.3.0-6.el7.noarch

#2 Updated by Eric Helms over 3 years ago

  • Legacy Backlogs Release (now unused) set to 70
  • Triaged changed from No to Yes

#3 Updated by Justin Sherrill over 3 years ago

  • Legacy Backlogs Release (now unused) changed from 70 to 86

#4 Updated by Eric Helms about 3 years ago

  • Legacy Backlogs Release (now unused) changed from 86 to 144

#5 Updated by Eric Helms almost 3 years ago

  • Legacy Backlogs Release (now unused) changed from 144 to 168

#6 Updated by Eric Helms almost 3 years ago

  • Legacy Backlogs Release (now unused) changed from 168 to 143

#7 Updated by Justin Sherrill almost 3 years ago

  • Is duplicate of Bug #15507: Katello 3.0.1 installation fails - Crane: Failed to configure CA certificate chain! added

#8 Updated by Justin Sherrill almost 3 years ago

  • Status changed from New to Duplicate
  • Legacy Backlogs Release (now unused) changed from 143 to 171

#9 Updated by Eric Helms over 2 years ago

  • Legacy Backlogs Release (now unused) changed from 171 to 162

Also available in: Atom PDF