Bug #37695
opendefault CA file used on smart proxy server for foreman_ssl_ca.pem instead of server CA
Description
Using custom TLS certificates signed by the same CA chain on a main foreman/katello host with an in-built smart proxy results in `/etc/foreman-proxy/foreman_ssl_ca.pem` having the contents of the "server CA", or the trust chain of the custom SSL certificate. The tarball generated from the `foreman-proxy-certs-generate` command does include both files in `ssl-build/`, but `katello-default-ca.crt` file is being used for both `/etc/foreman-proxy/foreman_ssl_ca.pem` and `/etc/foreman-proxy/ssl_ca.pem` on the standalone smart proxy when I deploy the certificates with the command generated by the `foreman-proxy-certs-generate` command on the main foreman/katello server:
```
foreman-installer --scenario foreman-proxy-content --certs-tar-file "/root/<smart proxy fqdn>-certs.tar" \
--foreman-proxy-register-in-foreman "true" \
--foreman-proxy-foreman-base-url "<main foreman/katello fqdn>" \
--foreman-proxy-trusted-hosts "<main foreman/katello fqdn>" \
--foreman-proxy-trusted-hosts "<smart proxy fqdn>" \
--foreman-proxy-oauth-consumer-key "XXX" \
--foreman-proxy-oauth-consumer-secret "XXX"
```
I would guess it's an issue with which file gets copied from the tarball into `/etc/foreman-proxy/foreman_ssl_ca.pem` since the installer options for `--foreman-proxy-foreman-ssl-ca` and `--foreman-proxy-ssl-ca` are the same on the main server and the smart proxy.
Updated by David Schlenk 5 months ago
update: the contents of ssl-build
directory extracted from the tarball on the smart proxy have the same content for katello-server-ca.crt
and katello-default-ca.crt
, so the problem would appear to be how that ssl-build
directory is created, not the copy from ssl-build
to /etc/foreman-proxy
. The actual tarball generated on the main server for the proxy seems to contain the correct, distinct values in the default
and server
files.
Updated by The Foreman Bot 4 months ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/puppet-certs/pull/460 added
Updated by The Foreman Bot 3 months ago
- Pull request deleted (
https://github.com/theforeman/puppet-certs/pull/460)