Bug #37695
opendefault CA file used on smart proxy server for foreman_ssl_ca.pem instead of server CA
Description
Using custom TLS certificates signed by the same CA chain on a main foreman/katello host with an in-built smart proxy results in `/etc/foreman-proxy/foreman_ssl_ca.pem` having the contents of the "server CA", or the trust chain of the custom SSL certificate. The tarball generated from the `foreman-proxy-certs-generate` command does include both files in `ssl-build/`, but `katello-default-ca.crt` file is being used for both `/etc/foreman-proxy/foreman_ssl_ca.pem` and `/etc/foreman-proxy/ssl_ca.pem` on the standalone smart proxy when I deploy the certificates with the command generated by the `foreman-proxy-certs-generate` command on the main foreman/katello server:
```
foreman-installer --scenario foreman-proxy-content --certs-tar-file "/root/<smart proxy fqdn>-certs.tar" \
--foreman-proxy-register-in-foreman "true" \
--foreman-proxy-foreman-base-url "<main foreman/katello fqdn>" \
--foreman-proxy-trusted-hosts "<main foreman/katello fqdn>" \
--foreman-proxy-trusted-hosts "<smart proxy fqdn>" \
--foreman-proxy-oauth-consumer-key "XXX" \
--foreman-proxy-oauth-consumer-secret "XXX"
```
I would guess it's an issue with which file gets copied from the tarball into `/etc/foreman-proxy/foreman_ssl_ca.pem` since the installer options for `--foreman-proxy-foreman-ssl-ca` and `--foreman-proxy-ssl-ca` are the same on the main server and the smart proxy.
Updated by David Schlenk about 2 months ago
update: the contents of ssl-build
directory extracted from the tarball on the smart proxy have the same content for katello-server-ca.crt
and katello-default-ca.crt
, so the problem would appear to be how that ssl-build
directory is created, not the copy from ssl-build
to /etc/foreman-proxy
. The actual tarball generated on the main server for the proxy seems to contain the correct, distinct values in the default
and server
files.
Updated by The Foreman Bot 11 days ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/puppet-certs/pull/460 added
Updated by The Foreman Bot 5 days ago
- Pull request deleted (
https://github.com/theforeman/puppet-certs/pull/460)