Project

General

Profile

Bug #24815

Newly added check (check-cert-san) in katello-certs-check is breaking installer for all customers not using Subject Alternative Name (SAN)

Added by Chris Roberts over 1 year ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Installer
Target version:
Difficulty:
easy
Triaged:
Yes
Bugzilla link:

Description

Newly added check (check-cert-san) in katello-certs-check are breaking satellite-installer for all users not using Subject Alternative Name (SAN)

Version-Release number of selected component (if applicable):
Satellite 6.4 Snap 17

How reproducible:
Always when using custom ssl certs ( SSL certs without SAN)

Steps to Reproduce:
1. Generate and get custom ssl certificates signed for Satellite server.
2. Use katello-certs-check to validate certs

  1. katello-certs-check -c "/root/satellite.example.com.cert.pem" -k "/root/satellite.example.com.key.pem" -b "/root/ca-chain.cert.pem"
    Checking server certificate's encoding: [OK]
    Checking expiration of certificate: [OK]
    Checking expiration of CA bundle: [OK]
    Checking if server cert has CA:TRUE flag[OK]
    Validating the certificate subject= /C=IN/ST=MH/L=Pune/O=Red Hat India/OU=SysMgmt/CN=satellite.example.com/emailAddress=
    Checking to see if the private key matches the certificate: [OK]
    Checking ca bundle against the cert file: [OK]
    Checking Subject Alt Name on certificate[FAIL] <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
    The /root/vm110.gsslab.pnq.redhat.com.cert.pem does not contain a Subject Alt Name <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
    Checking Key Usage extension on certificate for Key Encipherment[OK]

Actual results:

Katello-certs-check as a standalone fail with above error.

Same way the satellite-installer fail due to error is thrown by katello-certs-check.

Expected results:

The katello-certs-check should successfully validate certs if those are not for LB / HA kind of setups. We have a good number of customers using custom ssl certs without SAN in the certificate.

Satellite-install and Katello-certs-check commands should work successfully even if the certificate does not have Subject Alternative Name set.

Associated revisions

Revision 0c88a64a (diff)
Added by Chris Roberts over 1 year ago

Fixes #24815 - Update SAN check to warning and clean up script.

History

#1 Updated by The Foreman Bot over 1 year ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/Katello/katello-installer/pull/681 added

#2 Updated by Chris Roberts over 1 year ago

  • Status changed from Ready For Testing to Closed

#3 Updated by Justin Sherrill over 1 year ago

  • Triaged changed from No to Yes
  • Subject changed from Newly added check (check-cert-san) in katello-certs-check is breaking satellite-installer for all customers not using Subject Alternative Name (SAN) to Newly added check (check-cert-san) in katello-certs-check is breaking installer for all customers not using Subject Alternative Name (SAN)
  • Fixed in Releases Katello 3.9.0 added

#4 Updated by Samir Jha over 1 year ago

  • Target version changed from Katello 3.8.1 to Katello 3.9.0

Also available in: Atom PDF