Bug #22606
open
proxy/foreman-certs-bundle does not include intermediate certs
Description
When using a custom certs, they are frequently made with an intermediate CA. The cert tools (including the bootstrap/rpm in /pub) do not include the intermediate CA.
For instance, my proxy's :8443 ssl configuration is missing the SSLCertificateChainFile directive. I have to add it back manually after every install because it's not part of the configs or cert bundle deployed by the tools.
Updated by Anonymous
Updated by Eric Helms about 7 years ago
Howdy Daniel,
Looking for some more information to help us out. When you include custom certs, do you see the bootstrap RPM version revving? Can you open the latest bootstrap RPM and check if the `katello-server-ca.crt` is the same as your custom CA cert?
When you configure custom certs do you include the intermediate CA or the root CA as input to the installer?
Updated by Daniel Kimsey about 7 years ago
I don't recall there being instructions for adding the intermediate cert chain for custom certs on proxies. The --help doesn't seem to indicate how to do that.
I'm wary of running the foreman-certs-bundle tool as I've (following the Proxy Upgrade instructions) had it regenerate the internal katello CA and break my proxies. I'm running v15, if you have some instructions you'd like me to do to verify how my cert is being set-up I'm happy to help.
When you include custom certs, do you see the bootstrap RPM version revving?
Yes, I pass it the same cert parameters we've always used on the proxies (certs generated a few years ago). Ask it to write a new tarball with the current date.
Can you open the latest bootstrap RPM and check if the `katello-server-ca.crt` is the same as your custom CA cert?
It's been a bit (note above). But IIRC, the cert is there. The internal katello cert (default?) gets blown away, which I don't understand. It breaks everything on the proxies when that happens. (--certs-update-all vs --certs-update-server vs --certs-update-server-ca, Upgrade docs say use --certs-update-all which I don't trust anymore)
When you configure custom certs do you include the intermediate CA or the root CA as input to the installer?
There is no option to do that in foreman-installer-katello-3.4.1.3-1.el7.noarch
$ sudo foreman-proxy-certs-generate --help
= Module certs:
--cname The alternative names of the host the generated certificates
should be for (current: [])
--node-fqdn The fqdn of the host the generated certificates
should be for (current: "katello.trustwave.com")
--server-ca-cert Path to the CA that issued the ssl certificates for https
if not specified, the default CA will be used (current: UNDEF)
--server-cert Path to the ssl certificate for https
if not specified, the default CA will generate one (current: UNDEF)
--server-cert-req Path to the ssl certificate request for https
if not specified, the default CA will generate one (current: UNDEF)
--server-key Path to the ssl key for https
if not specified, the default CA will generate one (current: UNDEF)
Updated by John Mitsch about 7 years ago
- Category set to Installer
- Assignee set to Eric Helms
Updated by John Mitsch about 7 years ago
- Translation missing: en.field_release set to 114
Updated by