Project

General

Profile

Actions

Bug #37021

open

katello-certs-check should succeed if intermediates are presented without root

Added by Kevin Keane 12 months ago. Updated 12 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Difficulty:
Triaged:
No
Fixed in Releases:
Found in Releases:

Description

The katello-certs-check utility requires that the provided certificate chain contains not just all intermediate certs, but also the root certificate.

It should accept a certificate bundle that contains only intermediate certifictes, as long as the root is globally installed on the server. This is in keeping with RFCs, and also because some CAs (Sectigo in my case) only provide intermediate certificates.

To achieve that, the openssl verify line should be changed to replace the -CAfile argument with the -untrusted argument.

CHECK=$(openssl verify -untrusted $CA_BUNDLE_FILE -purpose sslserver -verbose $CERT_FILE 2>&1)

How to reproduce:

Obtain a certificate, key, and corresponding intermediate certificates. Ensure that the intermediate certificates do not include a self-signed root certificate.

Then run:

katello-certs-check -c <certfile>.pem -k <keyfile>.pem -b <ca intermediate bundle>.pem

Expected result:
...
Checking CA bundle against the certificate file:
[OK]
...

Actual result:
...
Checking CA bundle against the certificate file:
[FAIL]

The <intermediate>.pem does not verify the <certificate>.pem
C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
error 2 at 2 depth lookup: unable to get issuer certificate
error <certificte>.pem: verification failed
...

Actions

Also available in: Atom PDF