Bug #22606: proxy/foreman-certs-bundle does not include intermediate certs - Katello - Foreman

Custom queries

All issues closed in the last 3 weeks
Assigned to me
Closed Issues without Release
Easy and Trivial Issues
Good first issues - Foreman core
Katello 4.15.1 TODO
Katello 4.16.1 TODO
Katello 4.17.0 TODO
Mine
My issues closed in the last 3 weeks
open docker issues 2.1
Open Features
Open Katello issues by target version
Open Pull Requests
Stale
Trackers
Untriaged
Untriaged and opened in the past two weeks

Actions

Copy link

Bug #22606

open

proxy/foreman-certs-bundle does not include intermediate certs

Added by Daniel Kimsey about 7 years ago. Updated 9 months ago.

Status:

New

Priority:

Normal

Assignee:

Eric Helms

Category:

Installer

Target version:

Difficulty:

Triaged:

Bugzilla link:

Pull request:

Fixed in Releases:

Found in Releases:

Red Hat JIRA:

Description

When using a custom certs, they are frequently made with an intermediate CA. The cert tools (including the bootstrap/rpm in /pub) do not include the intermediate CA.

For instance, my proxy's :8443 ssl configuration is missing the SSLCertificateChainFile directive. I have to add it back manually after every install because it's not part of the configs or cert bundle deployed by the tools.

History
Notes
Property changes

Actions

Copy link

Updated by Anonymous about 7 years ago

Project changed from Foreman to Katello

Actions

Copy link

Updated by Eric Helms about 7 years ago

Howdy Daniel,

Looking for some more information to help us out. When you include custom certs, do you see the bootstrap RPM version revving? Can you open the latest bootstrap RPM and check if the `katello-server-ca.crt` is the same as your custom CA cert?

When you configure custom certs do you include the intermediate CA or the root CA as input to the installer?

Actions

Copy link

Updated by Daniel Kimsey about 7 years ago

I don't recall there being instructions for adding the intermediate cert chain for custom certs on proxies. The --help doesn't seem to indicate how to do that.

I'm wary of running the foreman-certs-bundle tool as I've (following the Proxy Upgrade instructions) had it regenerate the internal katello CA and break my proxies. I'm running v15, if you have some instructions you'd like me to do to verify how my cert is being set-up I'm happy to help.

When you include custom certs, do you see the bootstrap RPM version revving?

Yes, I pass it the same cert parameters we've always used on the proxies (certs generated a few years ago). Ask it to write a new tarball with the current date.

Can you open the latest bootstrap RPM and check if the `katello-server-ca.crt` is the same as your custom CA cert?

It's been a bit (note above). But IIRC, the cert is there. The internal katello cert (default?) gets blown away, which I don't understand. It breaks everything on the proxies when that happens. (--certs-update-all vs --certs-update-server vs --certs-update-server-ca, Upgrade docs say use --certs-update-all which I don't trust anymore)

When you configure custom certs do you include the intermediate CA or the root CA as input to the installer?

There is no option to do that in foreman-installer-katello-3.4.1.3-1.el7.noarch

$ sudo foreman-proxy-certs-generate --help
= Module certs:
    --cname                       The alternative names of the host the generated certificates
                                  should be for (current: [])
    --node-fqdn                   The fqdn of the host the generated certificates
                                  should be for (current: "katello.trustwave.com")
    --server-ca-cert              Path to the CA that issued the ssl certificates for https
                                  if not specified, the default CA will be used (current: UNDEF)
    --server-cert                 Path to the ssl certificate for https
                                  if not specified, the default CA will generate one (current: UNDEF)
    --server-cert-req             Path to the ssl certificate request for https
                                  if not specified, the default CA will generate one (current: UNDEF)
    --server-key                  Path to the ssl key for https
                                  if not specified, the default CA will generate one (current: UNDEF)

Actions

Copy link