Project

General

Profile

Bug #28043

Updated by Ewoud Kohl van Wijngaarden 10 months ago

When using custom certs, the CA chain presented is the Default CA where Katello is configured to expect the Server CA. This isn't a problem without custom certs because then those are the same chain.

<pre> -------------------------
# egrep Cert /etc/httpd/conf.d/03-crane.conf
SSLCertificateFile "/etc/pki/katello/certs/katello-apache.crt"
SSLCertificateKeyFile "/etc/pki/katello/private/katello-apache.key"
SSLCertificateChainFile "/etc/pki/katello/certs/katello-default-ca.crt" --> Wrong? This should be katello-server-ca.crt
SSLCACertificateFile "/etc/pki/katello/certs/katello-default-ca.crt"
</pre> -------------------------

The ssl verification issue can been seen when there is an Intermediate CA along with ROOT CA. If a client connecting crane only has Root CA in the trust store, ssl verification will fail.

Example :
<pre>
#
-------------------------
openssl s_client -connect sat65.lab.box:5000 -CAfile ./rootCA.pem
CONNECTED(00000003)
depth=0 C = IN, ST = MH, L = PNQ, O = Satellite, OU = Unix Admins, CN = sat65.lab.box
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = IN, ST = MH, L = PNQ, O = Satellite, OU = Unix Admins, CN = sat65.lab.box
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:C = IN, ST = MH, L = PNQ, O = Sysmgmt, OU = Unix Admins, CN = sat65.lab.box
i:C = IN, ST = MH, L = PNQ, O = Intermediate CA, OU = CA Support, CN = Intermediate CA
1 s:C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = sat65.lab.box
i:C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = sat65.lab.box
</pre> -------------------------

*How reproducible:*
clients connecting to crane registry will face this only in case there is more than 1 CA in chain and client only has root CA in trust store.

*Steps to Reproduce:*
1. Install Custom SSl Certs on Katello signed by a Root CA - > Intermediate CA > Katello Cert
2. Put Root CA in a systems's trust store. Do not register it to Katello as it will put full chain in anchors and trust i.e. katello-server-ca.crt
3. Use any Container Software on that system to connect to crane with https and notice ssl verification errors

*Actual results:*
Certs cannot be verified

*Expected results:*
In SSLCertificateChainFile option of apache configuration, it should have katello-server-ca.crt to serve SSL chain correctly

Back