Loading...

Type: Bug
Resolution: Duplicate
Priority: Major
Fix Version/s: None
Affects Version/s: 6.15.0
Component/s: Satellite Maintain
Labels:
- triaged

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
BZ Flags:
- sat-6.15.z+
- sat-6.16.0+
BZ Status:
CLOSED
Bugzilla Bug:
RHBZ: 2280065
PM Score:
0
Satellite Team:

Platform
BZ Keywords:
- Triaged
Intelligence Requested:
Market:

Severity:
Important

Target Version:

6.16.0, 6.15.z

Regression:
No

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

PX Priority Data:
PX Impact Score:

Description of problem:

Custom certs expired, and updating with new ones doesn't work

Version-Release number of selected component (if applicable):

6.15.0

How reproducible:

Install 6.15.0 and run the cert validation.

katello-certs-check \
-c /root/satellite_cert/satellite_cert.pem \
-k /root/satellite_cert/satellite_cert_key.pem \
-b /root/satellite_cert/ca_cert_bundle.pem

And run generated output

satellite-installer --scenario satellite \
--certs-server-cert "/root/satellite_cert/satellite_cert.pem" \
--certs-server-key "/root/satellite_cert/satellite_cert_key.pem" \
--certs-server-ca-cert "/root/satellite_cert/ca_cert_bundle.pem" \
--certs-update-server --certs-update-server-ca

and it fails.

Steps to Reproduce:

1. cert dates are good

Not Before: Apr 11 04:50:26 2024 GMT
Not After : Apr 11 04:50:26 2026 GMT

2. Check succeeds.

katello-certs-check \
> -c /root/satellite_cert/satellite_cert.pem \
> -k /root/satellite_cert/satellite_cert_key.pem \
> -b /root/satellite_cert/ca_cert_bundle.pem
Checking server certificate encoding:
[OK]

Checking expiration of certificate:
[OK]

Checking expiration of CA bundle:
[OK]

Checking if server certificate has CA:TRUE flag
[OK]

Checking for private key passphrase:
[OK]

Checking to see if the private key matches the certificate:
[OK]

Checking CA bundle against the certificate file:
[OK]

Checking CA bundle size: 2
[OK]

Checking Subject Alt Name on certificate
[OK]

Checking if any Subject Alt Name on certificate matches the Subject CN
[OK]

Checking Key Usage extension on certificate for Key Encipherment
[OK]

Checking for use of shortname as CN
[OK]

Validation succeeded

Actual results:

2024-05-10 17:32:01 [NOTICE] [configure] 1250 configuration steps out of 1575 steps complete.
2024-05-10 17:32:41 [ERROR ] [configure] /Stage[main]/Foreman::Register/Foreman_host[foreman-satellite.example.com]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired) in get request to: https://satellite.example.com/api/v2/hosts?search=name%3D%22satellite.example.com%22
2024-05-10 17:32:41 [ERROR ] [configure] Wrapped exception:
2024-05-10 17:32:41 [ERROR ] [configure] SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)
2024-05-10 17:32:41 [NOTICE] [configure] 1500 configuration steps out of 1575 steps complete.
2024-05-10 17:32:41 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_host[foreman-proxy-satellite.example.com]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired) in get request to: https://satellite.example.com/api/v2/hosts?search=name%3D%22satellite.example.com%22
2024-05-10 17:32:41 [ERROR ] [configure] Wrapped exception:
2024-05-10 17:32:41 [ERROR ] [configure] SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)
2024-05-10 17:32:41 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[satellite.example.com]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired) in get request to: https://satellite.example.com/api/v2/smart_proxies?search=name%3D%22satellite.example.com%22
2024-05-10 17:32:41 [ERROR ] [configure] Wrapped exception:
2024-05-10 17:32:41 [ERROR ] [configure] SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)
2024-05-10 17:32:44 [NOTICE] [configure] System configuration has finished.

Error 1: Puppet Foreman_host resource 'foreman-satellite.example.com' failed. Logs:
/Stage[main]/Foreman::Register/Foreman_host[foreman-satellite.example.com]
Adding autorequire relationship with Anchor[foreman::service]
Adding autorequire relationship with Anchor[foreman::providers::oauth]
Starting to evaluate the resource (1474 of 1575)
Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired) in get request to: https://satellite.example.com/api/v2/hosts?search=name%3D%22satellite.example.com%22
Wrapped exception:
SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)
Evaluated in 0.01 seconds
Foreman_host[foreman-satellite.example.com](provider=rest_v3)
Making get request to https://satellite.example.com/api/v2/hosts?search=name%3D%22satellite.example.com%22
Error 2: Puppet Foreman_host resource 'foreman-proxy-satellite.example.com' failed. Logs:
/Stage[main]/Foreman_proxy::Register/Foreman_host[foreman-proxy-satellite.example.com]
Adding autorequire relationship with Anchor[foreman::service]
Adding autorequire relationship with Anchor[foreman::providers::oauth]
Starting to evaluate the resource (1560 of 1575)
Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired) in get request to: https://satellite.example.com/api/v2/hosts?search=name%3D%22satellite.example.com%22
Wrapped exception:
SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)
Evaluated in 0.01 seconds
Foreman_host[foreman-proxy-satellite.example.com](provider=rest_v3)
Making get request to https://satellite.example.com/api/v2/hosts?search=name%3D%22satellite.example.com%22
Error 3: Puppet Foreman_smartproxy resource 'satellite.example.com' failed. Logs:
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[satellite.example.com]
Adding autorequire relationship with Anchor[foreman::service]
Adding autorequire relationship with Anchor[foreman::providers::oauth]
Starting to evaluate the resource (1562 of 1575)
Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired) in get request to: https://satellite.example.com/api/v2/smart_proxies?search=name%3D%22satellite.example.com%22
Wrapped exception:
SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)
Evaluated in 0.01 seconds
Foreman_smartproxy[satellite.example.com](provider=rest_v3)
Making get request to https://satellite.example.com/api/v2/smart_proxies?search=name%3D%22satellite.example.com%22

Expected results:

Installer combination that generated by katello-certs-check should complete successfully.

Additional info:

Full details inside the case 03815974

1. setenforce 0 - no difference
2. # mv /etc/pki/ca-trust/source/anchors/*.crt /root/oldcerts

satellite-installer --scenario satellite \
--certs-server-cert "/root/satellite_cert/satellite_cert.pem" \
--certs-server-key "/root/satellite_cert/satellite_cert_key.pem" \
--certs-server-ca-cert "/root/satellite_cert/ca_cert_bundle.pem" \
--certs-update-server --certs-update-server-ca

no difference

3. certs-update-all

satellite-installer --scenario satellite \
--certs-server-cert "/root/satellite_cert/satellite_cert.pem" \
--certs-server-key "/root/satellite_cert/satellite_cert_key.pem" \
--certs-server-ca-cert "/root/satellite_cert/ca_cert_bundle.pem" \
--certs-update-all --certs-update-server-ca

also no difference

duplicates

SAT-16256 katello-certs-check will pass, even if the bundle is expired

Backlog

external trackers

Red Hat Customer Portal 03815974

Details

Description

Attachments

Issue Links

Activity

People

Dates