Project

General

Profile

Actions

Bug #28367

closed

check for too many issuers in custom SSL certs

Added by Ewoud Kohl van Wijngaarden over 4 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Difficulty:
Triaged:
No
Fixed in Releases:
Found in Releases:

Description

Description of problem:
Attempting to update custom SSL certs using the following documented procedure:

https://access.redhat.com/documentation/en-us/red_hat_satellite/6.4/html/installing_satellite_server_from_a_connected_network/performing_additional_configuration_on_satellite_server#configuring_satellite_server_with_custom_server_certificate

and

https://access.redhat.com/solutions/1273623

fails and results in a non-working Satellite server due to failures in
qpid and foreman_proxy:

[ERROR 2019-04-23T13:53:30 main] /Stage[main]/Katello::Qpid/Qpid::Config::Queue[katello_event_queue]/Qpid::Config_cmd[ensure queue katello_event_queue]/Exec[qpid-config ensure queue katello_event_queue]/returns: change from 'notrun' to ['0'] failed: 'qpid-config --ssl-certificate /etc/pki/katello/certs/satellite.example.org-qpid-broker.crt --ssl-key /etc/pki/katello/private/satellite.example.org-qpid-broker.key -b amqps://localhost:5671 add queue katello_event_queue --durable' returned 1 instead of one of [0]

and

[ERROR 2019-04-23T13:53:30 main] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[satellite.example.org]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=unknown state: excessive message size in get request to: https://satellite.example.org/api/v2/smart_proxies?search=name=%22satellite.example.org%22

Steps to Reproduce:
1. Create a certificate file with more than 32 issuers.
2. Attempt to update certificates using procedure above.

Actual results:
Certificate update fails, even though katello-certs-check succeeds.

Expected results:
Certificates should be updated successfully with above documented procedure.

Additional info:
The customer identified two problems with the documented procedure in his
environment:
1. The "--certs-update-all" flag is required and not listed in the instructions above.
2. The CA bundle used must not contain too many certs; if so the certs must
be split into separate files. Currently, 'katello-certs-check' succeeds even though the large bundle will break later components.

Actions

Also available in: Atom PDF