-
Bug
-
Resolution: Done-Errata
-
Major
-
rhel-8.10, rhel-9.5
-
None
-
No
-
Moderate
-
rhel-cockpit
-
ssg_front_door
-
0
-
Dev ack
-
False
-
False
-
-
None
-
Red Hat Enterprise Linux
-
None
-
Pass
-
Automated
-
None
What were you trying to do that didn't work?
When configuring the system with FUTURE Crypto Policy, the cockpit interface cannot be accessed because the RSA key being used to create the key and certificate is too weak (2048 bits), while FUTURE enforces 3072 bits RSA keys.
The solution is to fix the /usr/libexec/cockpit-certificate-helper as shown below:
# diff -u /usr/libexec/cockpit-certificate-helper.orig /usr/libexec/cockpit-certificate-helper
--- /usr/libexec/cockpit-certificate-helper.orig 2025-02-10 15:26:34.687857865 +0100
+++ /usr/libexec/cockpit-certificate-helper 2025-02-10 15:26:42.198896128 +0100
@@ -24,7 +24,6 @@
selfsign_sscg() {
sscg --quiet \
--lifetime "${DAYS}" \
- --key-strength 2048 \
--cert-key-file "${KEYFILE}" \
--cert-file "${CERTFILE}" \
--ca-file "${CA_FILE}" \
@@ -37,7 +36,7 @@
selfsign_openssl() {
openssl req -x509 \
-days "${DAYS}" \
- -newkey rsa:2048 \
+ -newkey rsa \
-keyout "${KEYFILE}" \
-keyform PEM \
-nodes \
What is the impact of this issue to you?
Cannot use cockpit
Please provide the package NVR for which the bug is seen:
cockpit-ws-310.4-1.el8_10
cockpit-ws-323.1-1.el9_5
How reproducible is this bug?:
Always
Steps to reproduce
- Delete self-signed certificates
# rm /etc/cockpit/ws-certs.d/0-self-signed.*
- Stop the service
# systemctl stop cockpit*.service
- Move to FUTURE policy
# update-crypto-policies --set FUTURE
- Connect to cockpit
# curl https://localhost:9090/ curl: (60) SSL certificate problem: EE certificate key too weak
Expected results
No error connecting.
Actual results
Error because key size is too weak.
- links to
-
RHBA-2024:140230
cockpit bug fix and enhancement update