Foreman » Installer

Description of problem:

Trust rules on a certificate indicate what are the accepted uses for it. Some users may have a CA bundle where one of the certificates includes trust rules (maybe incorrectly).

The default validation done by katello-certs-check does not complain about it. The bundle can be used without problems on Satellite 6.14+ but fails on 6.13 (at least, didn't check older versions).

Also, when thinking about clients of Satellite, RHEL8+ can trust the bundle that contains trust rules but RHEL7 will have problems (when using libcurl) trusting that.

So, accepting a bundle like this will potentially break the Satellite installation (foreman-proxy is the component failing on 6.13 when using it) and also break the access to Satellite for RHEL7 hosts.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

1. Have a CA certificate and add a trust rule to it:

~_{~
openssl x509 -in ca_cert.pem -addtrust serverAuth -out ca_trust_rule.pem}
~~

2. Check with katello-certs-check and there will be no complaints about it.

Actual results:

katello-certs-check does not complaint about having a CA bundle in a format that may break satellite and/or client access to satellite

Expected results:

katello-certs-check should point that there is an issue with the bundle

Additional info: