Project

General

Profile

Actions

Feature #37063

closed

Make katello-certs-check verify if the CA bundle has any certificates with trust rules

Added by Joniel Pasqualetto 6 months ago. Updated 23 days ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
foreman-installer script
Target version:
-
Difficulty:
Triaged:
Yes
Fixed in Releases:
Found in Releases:

Description

Description of problem:

Trust rules on a certificate indicate what are the accepted uses for it. Some users may have a CA bundle where one of the certificates includes trust rules (maybe incorrectly).

The default validation done by katello-certs-check does not complain about it. The bundle can be used without problems on Satellite 6.14+ but fails on 6.13 (at least, didn't check older versions).

Also, when thinking about clients of Satellite, RHEL8+ can trust the bundle that contains trust rules but RHEL7 will have problems (when using libcurl) trusting that.

So, accepting a bundle like this will potentially break the Satellite installation (foreman-proxy is the component failing on 6.13 when using it) and also break the access to Satellite for RHEL7 hosts.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

1. Have a CA certificate and add a trust rule to it:

~~
openssl x509 -in ca_cert.pem -addtrust serverAuth -out ca_trust_rule.pem
~~

2. Check with katello-certs-check and there will be no complaints about it.

Actual results:

katello-certs-check does not complaint about having a CA bundle in a format that may break satellite and/or client access to satellite

Expected results:

katello-certs-check should point that there is an issue with the bundle

Additional info:

Actions #1

Updated by The Foreman Bot 6 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman-installer/pull/909 added
Actions #2

Updated by The Foreman Bot 4 months ago

  • Fixed in Releases 3.11.0 added
Actions #3

Updated by Joniel Pasqualetto 4 months ago

  • Status changed from Ready For Testing to Closed
Actions #4

Updated by Ewoud Kohl van Wijngaarden 23 days ago

  • Tracker changed from Bug to Feature
  • Subject changed from Add feature in katello-certs-check to verify if CA bundle has any certificates with trust rules to Make katello-certs-check verify if the CA bundle has any certificates with trust rules
  • Category set to foreman-installer script
  • Triaged changed from No to Yes
Actions

Also available in: Atom PDF