Bug #31051

katello-certs-check don't validate if there is a SAN that matches the Subject CN in custom certificates

Added by Joniel Pasqualetto 12 months ago. Updated 10 months ago.

foreman-installer script
Target version:
Bugzilla link:


Description of problem:

katello-certs-check validates if a custom certificate contains at least a Subject Alt Name, but it never cross check if this SAN matches the Subject CN of the provided certificate.

This can be misleading in a few cases. Here's a few I already saw happen:

1. SAN not containing the Subject CN at all (only other aliases)
2. A typo in the SAN

Both cases will pass the katello-cert-check validation but will fail to deploy.

Version-Release number of selected component (if applicable):

How reproducible: Always

Steps to Reproduce:
1. Create a certificate with a typo in the SAN
2. Run katello-certs-check to verify it
3. Try deploying that cert on Satellite and it will fail

Actual results:
Validation with katello-certs-check passes without error or warning, but satellite-installer will fail to run with such certificate.

Expected results:
Validation should point out an issue with the certificate.

Associated revisions

Revision e53e71c3 (diff)
Added by Joniel Pasqualetto 11 months ago

Fixes #31051 - Add verification to check if SAN entries match Subject CN on certificate

Change warning to error for certifcates that don't have a CN.
Change the way of comparing string variables.

Revision 0cfa263c (diff)
Added by William Clark 11 months ago

Refs #31051 - Remove Warning method from katello-certs-check

The last use of this method was removed in e53e71


#1 Updated by The Foreman Bot 12 months ago

  • Status changed from New to Ready For Testing
  • Pull request added

#2 Updated by The Foreman Bot 11 months ago

  • Fixed in Releases 2.3.0 added

#3 Updated by The Foreman Bot 11 months ago

  • Assignee set to William Clark
  • Pull request added

#4 Updated by Joniel Pasqualetto 11 months ago

  • Status changed from Ready For Testing to Closed

#5 Updated by Ewoud Kohl van Wijngaarden 10 months ago

  • Triaged changed from No to Yes
  • Target version set to 2.3.0
  • Category set to foreman-installer script

Also available in: Atom PDF