Project

General

Profile

Actions

Bug #37695

open

default CA file used on smart proxy server for foreman_ssl_ca.pem instead of server CA

Added by David Schlenk 5 months ago. Updated 3 months ago.

Status:
Ready For Testing
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Difficulty:
Triaged:
No
Fixed in Releases:
Found in Releases:

Description

Using custom TLS certificates signed by the same CA chain on a main foreman/katello host with an in-built smart proxy results in `/etc/foreman-proxy/foreman_ssl_ca.pem` having the contents of the "server CA", or the trust chain of the custom SSL certificate. The tarball generated from the `foreman-proxy-certs-generate` command does include both files in `ssl-build/`, but `katello-default-ca.crt` file is being used for both `/etc/foreman-proxy/foreman_ssl_ca.pem` and `/etc/foreman-proxy/ssl_ca.pem` on the standalone smart proxy when I deploy the certificates with the command generated by the `foreman-proxy-certs-generate` command on the main foreman/katello server:

```
foreman-installer --scenario foreman-proxy-content --certs-tar-file "/root/<smart proxy fqdn>-certs.tar" \
--foreman-proxy-register-in-foreman "true" \
--foreman-proxy-foreman-base-url "<main foreman/katello fqdn>" \
--foreman-proxy-trusted-hosts "<main foreman/katello fqdn>" \
--foreman-proxy-trusted-hosts "<smart proxy fqdn>" \
--foreman-proxy-oauth-consumer-key "XXX" \
--foreman-proxy-oauth-consumer-secret "XXX"
```

I would guess it's an issue with which file gets copied from the tarball into `/etc/foreman-proxy/foreman_ssl_ca.pem` since the installer options for `--foreman-proxy-foreman-ssl-ca` and `--foreman-proxy-ssl-ca` are the same on the main server and the smart proxy.

Actions #1

Updated by David Schlenk 5 months ago

update: the contents of ssl-build directory extracted from the tarball on the smart proxy have the same content for katello-server-ca.crt and katello-default-ca.crt, so the problem would appear to be how that ssl-build directory is created, not the copy from ssl-build to /etc/foreman-proxy. The actual tarball generated on the main server for the proxy seems to contain the correct, distinct values in the default and server files.

Actions #2

Updated by Ewoud Kohl van Wijngaarden 4 months ago

  • Fixed in Releases deleted ()
Actions #3

Updated by The Foreman Bot 4 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/puppet-certs/pull/460 added
Actions #4

Updated by The Foreman Bot 3 months ago

  • Pull request deleted (https://github.com/theforeman/puppet-certs/pull/460)
Actions

Also available in: Atom PDF