Project

General

Custom queries

Profile

Actions
Copy link

Bug #12265

closed

Installing custom SSL using katello-installer causes system to become unusable

Added by Vladimir Stackov over 9 years ago. Updated almost 7 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
Installer
Target version:
Katello 3.2.0
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Description:

Running katello-installer --certs-server-cert ~/ssl/katello.tld.crt --certs-server-cert-req ~/ssl/katello.tld.csr --certs-server-key ~/ssl/katello.tld.key --certs-server-ca-cert ~/ssl/CABundle.pem --certs-update-server --certs-update-server-ca renders Foreman and crane unusable because of unrelated CA in cert chain.

Steps to Reproduce:
1. (Probably) Install katello as usual with no external SSL certificates;
2. Run katello-installer --certs-server-cert ~/ssl/katello.tld.crt --certs-server-cert-req ~/ssl/katello.tld.csr --certs-server-key ~/ssl/katello.tld.key --certs-server-ca-cert ~/ssl/CABundle.pem --certs-update-server --certs-update-server-ca
3. Run openssl s_client -connect katello.tld:443 from external system.

Actual results:
CONNECTED(00000003)
depth=0 C = RU, L = ***, O = ***, OU = ***, CN = katello.tld, emailAddress = ***
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = RU, L = ***, O = ***, OU = ***, CN = katello.tld, emailAddress = ***
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = RU, L = ***, O = ***, OU = ***, CN = katello.tld, emailAddress = ***
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=RU/L=***/O=***/OU=***/CN=katello.tld/emailAddress=***
i:/C=RU/DC=ru/... and so on (subCA info data)
1 s:/C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=katello.tld
i:/C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=katello.tld

Expected results:
[..]
Certificate chain
0 s:/C=RU/L=***/O=***/OU=***/CN=katello.tld/emailAddress=***
i:/C=RU/DC=ru/... and so on (subCA info data)
1 s:/C=RU/DC=ru/... and so on (subCA info data)
i:/C=RU/DC=ru/... and so on (CA info data)
2 s:/C=RU/DC=ru/... and so on (CA info data)
i:/C=RU/DC=ru/... and so on (CA info data)

Additional info:
Wrong certificate in chain comes from /etc/pki/katello/certs/katello-default-ca.crt, it was added in 03-crane.conf and 05-foreman-ssl.conf as SSLCertificateChainFile and SSLCACertificateFile.

Related issues 1 (0 open1 closed)

Is duplicate of Katello - Bug #15507: Katello 3.0.1 installation fails - Crane: Failed to configure CA certificate chain!ResolvedEric Helms06/23/2016Actions
#2

Updated by Eric Helms over 9 years ago

  • Translation missing: en.field_release set to 70
  • Triaged changed from No to Yes
#3

Updated by Justin Sherrill over 9 years ago

  • Translation missing: en.field_release changed from 70 to 86
#4

Updated by Eric Helms almost 9 years ago

  • Translation missing: en.field_release changed from 86 to 144
#5

Updated by Eric Helms almost 9 years ago

  • Translation missing: en.field_release changed from 144 to 168
#6

Updated by Eric Helms almost 9 years ago

  • Translation missing: en.field_release changed from 168 to 143
#7

Updated by Justin Sherrill almost 9 years ago

  • Is duplicate of Bug #15507: Katello 3.0.1 installation fails - Crane: Failed to configure CA certificate chain! added
#8

Updated by Justin Sherrill almost 9 years ago

  • Status changed from New to Duplicate
  • Translation missing: en.field_release changed from 143 to 171
#9

Updated by Eric Helms over 8 years ago

  • Translation missing: en.field_release changed from 171 to 162
Actions
Copy link

Also available in: Atom PDF