Bug #28043
closed
Crane port 5000 presenting default Certificate Chain instead of Server Chain
Description
When using custom certs, the CA chain presented is the Default CA where Katello is configured to expect the Server CA. This isn't a problem without custom certs because then those are the same chain.
# egrep Cert /etc/httpd/conf.d/03-crane.conf SSLCertificateFile "/etc/pki/katello/certs/katello-apache.crt" SSLCertificateKeyFile "/etc/pki/katello/private/katello-apache.key" SSLCertificateChainFile "/etc/pki/katello/certs/katello-default-ca.crt" --> Wrong? This should be katello-server-ca.crt SSLCACertificateFile "/etc/pki/katello/certs/katello-default-ca.crt"
The ssl verification issue can been seen when there is an Intermediate CA along with ROOT CA. If a client connecting crane only has Root CA in the trust store, ssl verification will fail.
Example :
# openssl s_client -connect sat65.lab.box:5000 -CAfile ./rootCA.pem CONNECTED(00000003) depth=0 C = IN, ST = MH, L = PNQ, O = Satellite, OU = Unix Admins, CN = sat65.lab.box verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = IN, ST = MH, L = PNQ, O = Satellite, OU = Unix Admins, CN = sat65.lab.box verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:C = IN, ST = MH, L = PNQ, O = Sysmgmt, OU = Unix Admins, CN = sat65.lab.box i:C = IN, ST = MH, L = PNQ, O = Intermediate CA, OU = CA Support, CN = Intermediate CA 1 s:C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = sat65.lab.box i:C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = sat65.lab.box
How reproducible:
clients connecting to crane registry will face this only in case there is more than 1 CA in chain and client only has root CA in trust store.
Steps to Reproduce:
1. Install Custom SSl Certs on Katello signed by a Root CA - > Intermediate CA > Katello Cert
2. Put Root CA in a systems's trust store. Do not register it to Katello as it will put full chain in anchors and trust i.e. katello-server-ca.crt
3. Use any Container Software on that system to connect to crane with https and notice ssl verification errors
Actual results:
Certs cannot be verified
Expected results:
In SSLCertificateChainFile option of apache configuration, it should have katello-server-ca.crt to serve SSL chain correctly
Updated by The Foreman Bot over 4 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/puppet-foreman_proxy_content/pull/211 added
Updated by Ewoud Kohl van Wijngaarden over 4 years ago
- Category set to Foreman modules
- Assignee changed from Eric Helms to Ewoud Kohl van Wijngaarden
Updated by Ewoud Kohl van Wijngaarden over 4 years ago
- Description updated (diff)
Updated by Ewoud Kohl van Wijngaarden over 4 years ago
- Status changed from Ready For Testing to Closed
Applied in changeset puppet-foreman_proxy_content|0ac8571f96891bce3901f8edd3967074402a9081.