katello-certs-check don't validate if there is a SAN that matches the Subject CN in custom certificates
Description of problem:
katello-certs-check validates if a custom certificate contains at least a Subject Alt Name, but it never cross check if this SAN matches the Subject CN of the provided certificate.
This can be misleading in a few cases. Here's a few I already saw happen:
1. SAN not containing the Subject CN at all (only other aliases)
2. A typo in the SAN
Both cases will pass the katello-cert-check validation but will fail to deploy.
Version-Release number of selected component (if applicable):
How reproducible: Always
Steps to Reproduce:
1. Create a certificate with a typo in the SAN
2. Run katello-certs-check to verify it
3. Try deploying that cert on Satellite and it will fail
Validation with katello-certs-check passes without error or warning, but satellite-installer will fail to run with such certificate.
Validation should point out an issue with the certificate.
Fixes #31051 - Add verification to check if SAN entries match Subject CN on certificate
Change warning to error for certifcates that don't have a CN.
Change the way of comparing string variables.
#4 Updated by Joniel Pasqualetto 3 months ago
- Status changed from Ready For Testing to Closed
Applied in changeset installer|e53e71c3dabb3b7a68292fddab6ddf0e7fa4398a.