Project

General

Profile

Bug #34317

[Custom Certs] - Failed to install the custom certs on Katello 4.3, works on 4.1

Added by Evgeni Golov 10 months ago. Updated 10 months ago.

Status:
Closed
Priority:
Normal
Category:
Foreman modules
Target version:
Difficulty:
Triaged:
Yes
Bugzilla link:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=2036054

Description of problem:
[Custom Certs] - Failed to install the custom certs on the Satellite 7.0.0 works fine in 6.10

Version-Release number of selected component (if applicable):
fails on Satellite 7.0.0
Passes on Satellite 6.10

How reproducible:
Always

Steps to Reproduce:
1. Generate the CA certs bundle and install it as follows

[root@dhcp-3-215 ~]# satellite-installer --scenario satellite \

--certs-server-cert "/root/satellite.redhat.com/satellite.redhat.com.crt" \
--certs-server-key "/root/satellite.redhat.com/satellite.redhat.com.key" \
--certs-server-ca-cert "/root/cacert.crt" \
--certs-update-server --certs-update-server-ca

Actual results:
Satellite Installer is not installing the custom certs in Satellite.

Expected results:
Satellite Installer should install the custom certs on the Satellite.

Additional info:

Associated revisions

Revision 4648167d (diff)
Added by Ewoud Kohl van Wijngaarden 10 months ago

Fixes #34317 - Use the correct certificate to register

The server SSL CA is used to authenticate client certificates. The chain
is actually the one that has signed the public key of the certificate.

History

#1 Updated by Evgeni Golov 10 months ago

  • Subject changed from [Custom Certs] - Failed to install the custom certs on Katello 4.3, works on 4.1 to [Custom Certs] - Failed to install the custom certs on Katello 4.3, works on 4.1
  • Found in Releases 3.1.0 added

The problem is that puppet-certs dropped the "trusted_ca" use in the following commit:

commit 953261ffd2eb52b7176ab365fb0c4e9245435d99
Author: Eric D. Helms <ericdhelms@gmail.com>
Date:   Thu Jul 2 15:16:29 2020 -0400

    Refs #30316: Drop bootstrap RPM code

And moved it to puppet-foreman_proxy_content:

commit 7bf101dc5507c90936b9e6169b91848ef106fe0f
Author: Eric D. Helms <ericdhelms@gmail.com>
Date:   Thu Jul 2 14:09:33 2020 -0400

    Fixes #30316: Move bootstrap RPM generation from puppet-certs

but due to ordering, the fpc code is not executed before Foreman::Register/Foreman_host is called, so at that point the CA is still untrusted and everything fails.

Re-running the installer works, as now the CA is trusted.

#2 Updated by Ewoud Kohl van Wijngaarden 10 months ago

  • Target version set to 3.1.1
  • Category set to Foreman modules

I think the problem is that it's using the wrong file:
https://github.com/theforeman/puppet-foreman/blob/589abb8d88b2460acecc6b4b6d05b2e0f9258f92/manifests/register.pp#L13
That should be using the chain, not the CA.

https://stackoverflow.com/questions/1899983/difference-between-sslcacertificatefile-and-sslcertificatechainfile#5543737

SSLCertificateChainFile is what signed the public key, SSLCACertificateFile is the one that allows client certs.

#3 Updated by Ewoud Kohl van Wijngaarden 10 months ago

  • Assignee deleted (Eric Helms)

#4 Updated by The Foreman Bot 10 months ago

  • Assignee set to Ewoud Kohl van Wijngaarden
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/puppet-foreman/pull/1022 added

#5 Updated by Ewoud Kohl van Wijngaarden 10 months ago

  • Status changed from Ready For Testing to Closed

#6 Updated by Ewoud Kohl van Wijngaarden 10 months ago

  • Triaged changed from No to Yes
  • Fixed in Releases 3.1.1, 3.2.0 added

Also available in: Atom PDF