Bug #27462
katello-certs-check (check-ca-bundle) doesn't catch openssl error correctly
Status:
Closed
Priority:
Normal
Assignee:
Category:
foreman-installer script
Target version:
Pull request:
Fixed in Releases:
Found in Releases:
Description
Description of problem:
Openssl will return 0 exit code and "OK" message for some errors. For example:
- openssl verify -CAfile /root/min_bundle.pem -purpose sslserver /root/sat_cert.pem
/root/sat_cert.pem: C = AU, O = My Org, OU = Web Servers, CN = satellite.example.com
error 26 at 0 depth lookup:unsupported certificate purpose
OK
- echo $?
0
The "check-ca-bundle" function only catches the exit code but doesn't catch the error message. This causes the invalid ssl server certificate to pass the test.
Associated revisions
Refs #27462 - Add test case for invalid purpose sslserver
History
#1
Updated by The Foreman Bot over 1 year ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman-installer/pull/376 added
#2
Updated by Hao Yu over 1 year ago
This issue seems to only happen in older version of openssl, such as RHEL 7.6 with "openssl-1.0.2k". It doesn't happen in Fedora 27 with "openssl-1.1.0g".
#3
Updated by The Foreman Bot 2 months ago
- Assignee set to Eric Helms
- Pull request https://github.com/theforeman/foreman-installer/pull/617 added
#4
Updated by The Foreman Bot 2 months ago
- Fixed in Releases 2.4.0 added
#5
Updated by Hao Yu 2 months ago
- Status changed from Ready For Testing to Closed
Applied in changeset installer|1c48582b5b4fe27183137dea9f870bdfa0dd5d63.
#6
Updated by Ewoud Kohl van Wijngaarden about 2 months ago
- Triaged changed from No to Yes
- Target version set to 2.3.0
- Fixed in Releases 2.3.0 added
- Fixed in Releases deleted (
2.4.0)
Fixes #27462 - Capture the openssl error correctly
Older openssl version will still return 0 exit code and "OK" message
for some errors, such as the openssl in RHEL 7. This cause the
katello-certs-check script not capturing certificate error correctly.
This patch fixed the issue.