Plugins » Katello

Newly added check (check-cert-san) in katello-certs-check are breaking satellite-installer for all users not using Subject Alternative Name (SAN)

Version-Release number of selected component (if applicable):
Satellite 6.4 Snap 17

How reproducible:
Always when using custom ssl certs ( SSL certs without SAN)

Steps to Reproduce:
1. Generate and get custom ssl certificates signed for Satellite server.
2. Use katello-certs-check to validate certs

1. katello-certs-check -c "/root/satellite.example.com.cert.pem" -k "/root/satellite.example.com.key.pem" -b "/root/ca-chain.cert.pem"
   Checking server certificate's encoding: [OK]
   Checking expiration of certificate: [OK]
   Checking expiration of CA bundle: [OK]
   Checking if server cert has CA:TRUE flag[OK]
   Validating the certificate subject= /C=IN/ST=MH/L=Pune/O=Red Hat India/OU=SysMgmt/CN=satellite.example.com/emailAddress=ahumbe@redhat.com
   Checking to see if the private key matches the certificate: [OK]
   Checking ca bundle against the cert file: [OK]
   Checking Subject Alt Name on certificate[FAIL] <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
   The /root/vm110.gsslab.pnq.redhat.com.cert.pem does not contain a Subject Alt Name <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
   Checking Key Usage extension on certificate for Key Encipherment[OK]

Actual results:

Katello-certs-check as a standalone fail with above error.

Same way the satellite-installer fail due to error is thrown by katello-certs-check.

Expected results:

The katello-certs-check should successfully validate certs if those are not for LB / HA kind of setups. We have a good number of customers using custom ssl certs without SAN in the certificate.

Satellite-install and Katello-certs-check commands should work successfully even if the certificate does not have Subject Alternative Name set.