-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
6.14.1
Description of problem:
- Standalone hammer configuration encounters failure when the CA of the Satellite/Capsule contains multiple CAs in its chain.
Version-Release number of selected component (if applicable):
- satellite-6.14.1-1.el8sat.noarch
- rubygem-foreman_maintain-1.3.5-1.el8sat.noarch
How reproducible:
- Always
Steps to Reproduce:
1. Setup a Satellite with a CA which has multiple CAs in the chain. For example:
~~~
awk -v cmd='openssl x509 -noout -subject -issuer' ' /BEGIN/
subject=CN = EXAMPLE-ROOT
issuer=CN = EXAMPLE-ROOT
subject=CN = EXAMPLE-INTER-1
issuer=CN = EXAMPLE-ROOT
subject=CN = EXAMPLE-INTER-2
issuer=CN = EXAMPLE-INTER-1
~~~
2. Configure standalone hammer on a RHEL 8 machine as per the documentation.
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.14/html/hammer_cli_guide/chap-cli_guide-introduction_to_hammer#sect-CLI_Guide-Standalone_Use_of_Hammer
3. Execute the following command to fetch the CA certificate.
~~~
hammer --fetch-ca-cert https://satellite.example.com/
~~~
Actual results:
- Hammer commands fails with the following error.
~~~
# hammer ping
Could not load the API description from the server: SSL certificate verification failed
Make sure you configured the correct URL and have the server's CA certificate installed on your system.
~~~
- Fetch command only downloads the end CA certificate.
~~~
# awk -v cmd='openssl x509 -noout -subject -issuer' ' /BEGIN/{close(cmd)}
;
{print | cmd}' < /root/.hammer/certs/satellite.example.com_443.pemsubject=CN = EXAMPLE-INTER-2
issuer=CN = EXAMPLE-INTER-1
~~~
- See the katello-server-ca from the client for reference.
~~~
awk -v cmd='openssl x509 -noout -subject -issuer' ' /BEGIN/{close(cmd)};{print | cmd}
' < /etc/rhsm/ca/katello-server-ca.pem
subject=CN = EXAMPLE-ROOT
issuer=CN = EXAMPLE-ROOT
subject=CN = EXAMPLE-INTER-1
issuer=CN = EXAMPLE-ROOT
subject=CN = EXAMPLE-INTER-2
issuer=CN = EXAMPLE-INTER-1
~~~
Expected results:
- The fetch command should download the full chain.