Bug #31051
katello-certs-check don't validate if there is a SAN that matches the Subject CN in custom certificates
Description
Description of problem:
katello-certs-check validates if a custom certificate contains at least a Subject Alt Name, but it never cross check if this SAN matches the Subject CN of the provided certificate.
This can be misleading in a few cases. Here's a few I already saw happen:
1. SAN not containing the Subject CN at all (only other aliases)
2. A typo in the SAN
Both cases will pass the katello-cert-check validation but will fail to deploy.
Version-Release number of selected component (if applicable):
How reproducible: Always
Steps to Reproduce:
1. Create a certificate with a typo in the SAN
2. Run katello-certs-check to verify it
3. Try deploying that cert on Satellite and it will fail
Actual results:
Validation with katello-certs-check passes without error or warning, but satellite-installer will fail to run with such certificate.
Expected results:
Validation should point out an issue with the certificate.
Associated revisions
Refs #31051 - Remove Warning method from katello-certs-check
The last use of this method was removed in e53e71
History
#1
Updated by The Foreman Bot over 2 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman-installer/pull/590 added
#2
Updated by The Foreman Bot over 2 years ago
- Fixed in Releases 2.3.0 added
#3
Updated by The Foreman Bot over 2 years ago
- Assignee set to William Clark
- Pull request https://github.com/theforeman/foreman-installer/pull/606 added
#4
Updated by Joniel Pasqualetto over 2 years ago
- Status changed from Ready For Testing to Closed
Applied in changeset installer|e53e71c3dabb3b7a68292fddab6ddf0e7fa4398a.
#5
Updated by Ewoud Kohl van Wijngaarden over 2 years ago
- Triaged changed from No to Yes
- Target version set to 2.3.0
- Category set to foreman-installer script
Fixes #31051 - Add verification to check if SAN entries match Subject CN on certificate
Change warning to error for certifcates that don't have a CN.
Change the way of comparing string variables.