Bug #27462: katello-certs-check (check-ca-bundle) doesn't catch openssl error correctly - Installer - Foreman

Bug #27462

katello-certs-check (check-ca-bundle) doesn't catch openssl error correctly

Added by Hao Yu about 2 years ago. Updated 10 months ago.

Status:

Closed

Priority:

Normal

Assignee:

Eric Helms

Category:

foreman-installer script

Target version:

Foreman - 2.3.0

Difficulty:

Triaged:

Yes

Bugzilla link:

Pull request:

https://github.com/theforeman/foreman-installer/pull/617, https://github.com/theforeman/foreman-installer/pull/376

Fixed in Releases:

Foreman - 2.3.0

Found in Releases:

Description

Description of problem:
Openssl will return 0 exit code and "OK" message for some errors. For example:

openssl verify -CAfile /root/min_bundle.pem -purpose sslserver /root/sat_cert.pem
/root/sat_cert.pem: C = AU, O = My Org, OU = Web Servers, CN = satellite.example.com
error 26 at 0 depth lookup:unsupported certificate purpose
OK

echo $?
0

The "check-ca-bundle" function only catches the exit code but doesn't catch the error message. This causes the invalid ssl server certificate to pass the test.

Associated revisions

Revision 1c48582b (diff)
Added by Hao Yu 10 months ago

Fixes #27462 - Capture the openssl error correctly

Older openssl version will still return 0 exit code and "OK" message
for some errors, such as the openssl in RHEL 7. This cause the
katello-certs-check script not capturing certificate error correctly.
This patch fixed the issue.

Revision b95e07ab (diff)
Added by Eric Helms 10 months ago

Refs #27462 - Add test case for invalid purpose sslserver

History

#1 Updated by The Foreman Bot about 2 years ago

Status changed from New to Ready For Testing
Pull request https://github.com/theforeman/foreman-installer/pull/376 added

#2 Updated by Hao Yu about 2 years ago

This issue seems to only happen in older version of openssl, such as RHEL 7.6 with "openssl-1.0.2k". It doesn't happen in Fedora 27 with "openssl-1.1.0g".