Project

General

Profile

Bug #22606

proxy/foreman-certs-bundle does not include intermediate certs

Added by Daniel Kimsey over 1 year ago. Updated 11 months ago.

Status:
New
Priority:
Normal
Assignee:
Category:
Installer
Target version:
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

When using a custom certs, they are frequently made with an intermediate CA. The cert tools (including the bootstrap/rpm in /pub) do not include the intermediate CA.

For instance, my proxy's :8443 ssl configuration is missing the SSLCertificateChainFile directive. I have to add it back manually after every install because it's not part of the configs or cert bundle deployed by the tools.

History

#1 Updated by Michael Moll over 1 year ago

  • Project changed from Foreman to Katello

#2 Updated by Eric Helms over 1 year ago

Howdy Daniel,

Looking for some more information to help us out. When you include custom certs, do you see the bootstrap RPM version revving? Can you open the latest bootstrap RPM and check if the `katello-server-ca.crt` is the same as your custom CA cert?

When you configure custom certs do you include the intermediate CA or the root CA as input to the installer?

#3 Updated by Daniel Kimsey over 1 year ago

I don't recall there being instructions for adding the intermediate cert chain for custom certs on proxies. The --help doesn't seem to indicate how to do that.

I'm wary of running the foreman-certs-bundle tool as I've (following the Proxy Upgrade instructions) had it regenerate the internal katello CA and break my proxies. I'm running v15, if you have some instructions you'd like me to do to verify how my cert is being set-up I'm happy to help.

When you include custom certs, do you see the bootstrap RPM version revving?

Yes, I pass it the same cert parameters we've always used on the proxies (certs generated a few years ago). Ask it to write a new tarball with the current date.

Can you open the latest bootstrap RPM and check if the `katello-server-ca.crt` is the same as your custom CA cert?

It's been a bit (note above). But IIRC, the cert is there. The internal katello cert (default?) gets blown away, which I don't understand. It breaks everything on the proxies when that happens. (--certs-update-all vs --certs-update-server vs --certs-update-server-ca, Upgrade docs say use --certs-update-all which I don't trust anymore)

When you configure custom certs do you include the intermediate CA or the root CA as input to the installer?

There is no option to do that in foreman-installer-katello-3.4.1.3-1.el7.noarch

$ sudo foreman-proxy-certs-generate --help
= Module certs:
    --cname                       The alternative names of the host the generated certificates
                                  should be for (current: [])
    --node-fqdn                   The fqdn of the host the generated certificates
                                  should be for (current: "katello.trustwave.com")
    --server-ca-cert              Path to the CA that issued the ssl certificates for https
                                  if not specified, the default CA will be used (current: UNDEF)
    --server-cert                 Path to the ssl certificate for https
                                  if not specified, the default CA will generate one (current: UNDEF)
    --server-cert-req             Path to the ssl certificate request for https
                                  if not specified, the default CA will generate one (current: UNDEF)
    --server-key                  Path to the ssl key for https
                                  if not specified, the default CA will generate one (current: UNDEF)

#4 Updated by John Mitsch over 1 year ago

  • Assignee set to Eric Helms
  • Category set to Installer

#5 Updated by John Mitsch about 1 year ago

  • Legacy Backlogs Release (now unused) set to 114

Also available in: Atom PDF