Project

General

Profile

Actions
Copy link

Bug #31574

closed

The Artemis client certificate is not updated in truststore if it changes

Added by Eric Helms over 2 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Eric Helms
Category:
Foreman modules
Target version:
Foreman - 2.5.0
Difficulty:
Triaged:
Yes
Bugzilla link:
1951662
Pull request:
https://github.com/theforeman/puppet-certs/pull/320, https://github.com/theforeman/puppet-certs/pull/323
Fixed in Releases:
Foreman - 2.5.0
Found in Releases:
Red Hat JIRA:

Description

The java-client cert and key in /etc/pki/katello are correctly updated, and are a valid pair =>

[root@dhcp-2-190 certs]# openssl x509 -noout -modulus -in java-client.crt | openssl md5
(stdin)= d74483a4ae79b6b2a6ea09afe1b21095
[root@dhcp-2-190 certs]# openssl rsa -noout -modulus -in ../private/java-client.key | openssl md5
(stdin)= d74483a4ae79b6b2a6ea09afe1b21095

However, candlepin's truststore doesn't know about the new java-client.crt (called 'artemis-client' in the store) =>

[root@dhcp-2-190 certs]# keytool -list -keystore truststore
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 2 entries

artemis-client, Dec 10, 2020, trustedCertEntry,
Certificate fingerprint (SHA1): 17:91:F0:47:4C:18:8B:19:57:49:D3:4C:1E:05:38:D9:59:66:82:3B

Compare that fingerprint to /etc/pki/katello/certs/java-client.crt =>

[root@dhcp-2-190 certs]# openssl x509 -noout -fingerprint -sha1 -inform pem -in java-client.crt
SHA1 Fingerprint=2C:E3:3C:D1:B3:A5:01:EF:B7:5E:00:5D:6B:87:DF:6B:CA:28:A3:56

They should match, but don't

Actions
Copy link
 #1

Updated by Ewoud Kohl van Wijngaarden over 2 years ago

  • Subject changed from The Artemis client certificate is not updated in truststore if it changes to The Artemis client certificate is not updated in truststore if it changes
  • Category set to Foreman modules
  • Triaged changed from No to Yes

On a related note: I'm wondering if we can store the CA in the truststore rather than the actual certificate. The CA is less likely to change and we already verify the exact DN anyway. Wouldn't that be sufficient? (It would still need to be idempotent and consistent with the CA though so the update code should still be there.)

Actions
Copy link
 #2

Updated by The Foreman Bot over 2 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/puppet-certs/pull/311 added
Actions
Copy link
 #3

Updated by The Foreman Bot over 2 years ago

  • Pull request https://github.com/theforeman/puppet-certs/pull/312 added
Actions
Copy link
 #4

Updated by The Foreman Bot over 2 years ago

  • Pull request https://github.com/theforeman/puppet-certs/pull/320 added
Actions
Copy link
 #5

Updated by Eric Helms over 2 years ago

  • Target version set to 2.5.0
Actions
Copy link
 #6

Updated by Eric Helms over 2 years ago

  • Bugzilla link deleted (1897360)
Actions
Copy link
 #7

Updated by Eric Helms over 2 years ago

  • Bugzilla link set to 1951662
Actions
Copy link
 #8

Updated by The Foreman Bot over 2 years ago

  • Fixed in Releases 2.5.0 added
Actions
Copy link
 #9

Updated by Ewoud Kohl van Wijngaarden over 2 years ago

  • Status changed from Ready For Testing to Closed
Actions
Copy link
 #10

Updated by The Foreman Bot over 2 years ago

  • Pull request https://github.com/theforeman/puppet-certs/pull/323 added
Actions
Copy link
 #11

Updated by Eric Helms over 2 years ago

  • Pull request deleted (https://github.com/theforeman/puppet-certs/pull/311, https://github.com/theforeman/puppet-certs/pull/312)
Actions
Copy link

Also available in: Atom PDF