check for too many issuers in custom SSL certs
Description of problem:
Attempting to update custom SSL certs using the following documented procedure:
fails and results in a non-working Satellite server due to failures in
qpid and foreman_proxy:
[ERROR 2019-04-23T13:53:30 main] /Stage[main]/Katello::Qpid/Qpid::Config::Queue[katello_event_queue]/Qpid::Config_cmd[ensure queue katello_event_queue]/Exec[qpid-config ensure queue katello_event_queue]/returns: change from 'notrun' to ['0'] failed: 'qpid-config --ssl-certificate /etc/pki/katello/certs/satellite.example.org-qpid-broker.crt --ssl-key /etc/pki/katello/private/satellite.example.org-qpid-broker.key -b amqps://localhost:5671 add queue katello_event_queue --durable' returned 1 instead of one of 
[ERROR 2019-04-23T13:53:30 main] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[satellite.example.org]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=unknown state: excessive message size in get request to: https://satellite.example.org/api/v2/smart_proxies?search=name=%22satellite.example.org%22
Steps to Reproduce:
1. Create a certificate file with more than 32 issuers.
2. Attempt to update certificates using procedure above.
Certificate update fails, even though katello-certs-check succeeds.
Certificates should be updated successfully with above documented procedure.
The customer identified two problems with the documented procedure in his
1. The "--certs-update-all" flag is required and not listed in the instructions above.
2. The CA bundle used must not contain too many certs; if so the certs must
be split into separate files. Currently, 'katello-certs-check' succeeds even though the large bundle will break later components.
Fixes #28367 - Add a max issuers check
Too many certificates in the bundle breaks various tools. By keeping an
upper limit of 32 it should be safe since only the chain for the server
certificate should be included.
https://access.redhat.com/solutions/3406401 describes this as well, but
requires a login.
#3 Updated by Ewoud Kohl van Wijngaarden 6 months ago
- Status changed from Ready For Testing to Closed
Applied in changeset installer|809edefecf39815af2e2555368307e860f9356cf.