Project

General

Profile

Bug #28043

Updated by Ewoud Kohl van Wijngaarden about 1 year ago

When using custom certs, the CA chain presented is the Default CA where Katello is configured to expect the Server CA. This isn't a problem without custom certs because then those are the same chain.

<pre> -------------------------
# egrep Cert /etc/httpd/conf.d/03-crane.conf
SSLCertificateFile "/etc/pki/katello/certs/katello-apache.crt"
SSLCertificateKeyFile "/etc/pki/katello/private/katello-apache.key"
SSLCertificateChainFile "/etc/pki/katello/certs/katello-default-ca.crt" --> Wrong? This should be katello-server-ca.crt
SSLCACertificateFile "/etc/pki/katello/certs/katello-default-ca.crt"
</pre> -------------------------

The ssl verification issue can been seen when there is an Intermediate CA along with ROOT CA. If a client connecting crane only has Root CA in the trust store, ssl verification will fail.

Example :
<pre>
#
-------------------------
openssl s_client -connect sat65.lab.box:5000 -CAfile ./rootCA.pem
CONNECTED(00000003)
depth=0 C = IN, ST = MH, L = PNQ, O = Satellite, OU = Unix Admins, CN = sat65.lab.box
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = IN, ST = MH, L = PNQ, O = Satellite, OU = Unix Admins, CN = sat65.lab.box
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:C = IN, ST = MH, L = PNQ, O = Sysmgmt, OU = Unix Admins, CN = sat65.lab.box
i:C = IN, ST = MH, L = PNQ, O = Intermediate CA, OU = CA Support, CN = Intermediate CA
1 s:C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = sat65.lab.box
i:C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = sat65.lab.box
</pre> -------------------------

*How reproducible:*
clients connecting to crane registry will face this only in case there is more than 1 CA in chain and client only has root CA in trust store.

*Steps to Reproduce:*
1. Install Custom SSl Certs on Katello signed by a Root CA - > Intermediate CA > Katello Cert
2. Put Root CA in a systems's trust store. Do not register it to Katello as it will put full chain in anchors and trust i.e. katello-server-ca.crt
3. Use any Container Software on that system to connect to crane with https and notice ssl verification errors

*Actual results:*
Certs cannot be verified

*Expected results:*
In SSLCertificateChainFile option of apache configuration, it should have katello-server-ca.crt to serve SSL chain correctly

Back