Project

General

Profile

Bug #31574

The Artemis client certificate is not updated in truststore if it changes

Added by Eric Helms 9 months ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Foreman modules
Target version:
Difficulty:
Triaged:
Yes
Bugzilla link:

Description

The java-client cert and key in /etc/pki/katello are correctly updated, and are a valid pair =>

[root@dhcp-2-190 certs]# openssl x509 -noout -modulus -in java-client.crt | openssl md5
(stdin)= d74483a4ae79b6b2a6ea09afe1b21095
[root@dhcp-2-190 certs]# openssl rsa -noout -modulus -in ../private/java-client.key | openssl md5
(stdin)= d74483a4ae79b6b2a6ea09afe1b21095

However, candlepin's truststore doesn't know about the new java-client.crt (called 'artemis-client' in the store) =>

[root@dhcp-2-190 certs]# keytool -list -keystore truststore
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 2 entries

artemis-client, Dec 10, 2020, trustedCertEntry,
Certificate fingerprint (SHA1): 17:91:F0:47:4C:18:8B:19:57:49:D3:4C:1E:05:38:D9:59:66:82:3B

Compare that fingerprint to /etc/pki/katello/certs/java-client.crt =>

[root@dhcp-2-190 certs]# openssl x509 -noout -fingerprint -sha1 -inform pem -in java-client.crt
SHA1 Fingerprint=2C:E3:3C:D1:B3:A5:01:EF:B7:5E:00:5D:6B:87:DF:6B:CA:28:A3:56

They should match, but don't

Associated revisions

Revision de946a47 (diff)
Added by Ewoud Kohl van Wijngaarden 5 months ago

Fixes #31574: Ensure truststore certificates get updated when they change

Revision 9074ba6d (diff)
Added by Eric Helms 5 months ago

Refs #31574: Compare SHA256 fingerprints when checking truststore

The default on some operating systems such as EL7 is to print the
SHA1 fingerprint of a certificate. The java truststore reports
the SHA-256 fingerprint and thus we need to explicitly check the
same fingerprint type.

History

#1 Updated by Ewoud Kohl van Wijngaarden 9 months ago

  • Triaged changed from No to Yes
  • Category set to Foreman modules
  • Subject changed from The Artemis client certificate is not updated in truststore if it changes to The Artemis client certificate is not updated in truststore if it changes

On a related note: I'm wondering if we can store the CA in the truststore rather than the actual certificate. The CA is less likely to change and we already verify the exact DN anyway. Wouldn't that be sufficient? (It would still need to be idempotent and consistent with the CA though so the update code should still be there.)

#2 Updated by The Foreman Bot 8 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/puppet-certs/pull/311 added

#3 Updated by The Foreman Bot 8 months ago

  • Pull request https://github.com/theforeman/puppet-certs/pull/312 added

#4 Updated by The Foreman Bot 6 months ago

  • Pull request https://github.com/theforeman/puppet-certs/pull/320 added

#5 Updated by Eric Helms 5 months ago

  • Target version set to 2.5.0

#6 Updated by Eric Helms 5 months ago

  • Bugzilla link deleted (1897360)

#7 Updated by Eric Helms 5 months ago

  • Bugzilla link set to 1951662

#8 Updated by The Foreman Bot 5 months ago

  • Fixed in Releases 2.5.0 added

#9 Updated by Ewoud Kohl van Wijngaarden 5 months ago

  • Status changed from Ready For Testing to Closed

#10 Updated by The Foreman Bot 5 months ago

  • Pull request https://github.com/theforeman/puppet-certs/pull/323 added

#11 Updated by Eric Helms 5 months ago

  • Pull request deleted (https://github.com/theforeman/puppet-certs/pull/312, https://github.com/theforeman/puppet-certs/pull/311)

Also available in: Atom PDF