-
Bug
-
Resolution: Duplicate
-
Major
-
None
-
6.15.0
-
False
-
-
False
-
CLOSED
-
0
-
Platform
-
-
-
Important
-
No
Description of problem:
Custom certs expired, and updating with new ones doesn't work
Version-Release number of selected component (if applicable):
6.15.0
How reproducible:
Install 6.15.0 and run the cert validation.
katello-certs-check \
-c /root/satellite_cert/satellite_cert.pem \
-k /root/satellite_cert/satellite_cert_key.pem \
-b /root/satellite_cert/ca_cert_bundle.pem
And run generated output
- satellite-installer --scenario satellite \
--certs-server-cert "/root/satellite_cert/satellite_cert.pem" \
--certs-server-key "/root/satellite_cert/satellite_cert_key.pem" \
--certs-server-ca-cert "/root/satellite_cert/ca_cert_bundle.pem" \
--certs-update-server --certs-update-server-ca
and it fails.
Steps to Reproduce:
1. cert dates are good
openssl crl2pkcs7 -nocrl -certfile /root/satellite_cert/satellite_cert.pem | openssl pkcs7 -text -print_certs |egrep '(Issuer:|Subject:|CA:|DNS:|Digital|Not Before|Not After|keyid|serial:|TLS)'
Not Before: Apr 11 04:50:26 2024 GMT
Not After : Apr 11 04:50:26 2026 GMT
2. Check succeeds.
- katello-certs-check \
> -c /root/satellite_cert/satellite_cert.pem \
> -k /root/satellite_cert/satellite_cert_key.pem \
> -b /root/satellite_cert/ca_cert_bundle.pem
Checking server certificate encoding:
[OK]
Checking expiration of certificate:
[OK]
Checking expiration of CA bundle:
[OK]
Checking if server certificate has CA:TRUE flag
[OK]
Checking for private key passphrase:
[OK]
Checking to see if the private key matches the certificate:
[OK]
Checking CA bundle against the certificate file:
[OK]
Checking CA bundle size: 2
[OK]
Checking Subject Alt Name on certificate
[OK]
Checking if any Subject Alt Name on certificate matches the Subject CN
[OK]
Checking Key Usage extension on certificate for Key Encipherment
[OK]
Checking for use of shortname as CN
[OK]
Validation succeeded
Actual results:
2024-05-10 17:32:01 [NOTICE] [configure] 1250 configuration steps out of 1575 steps complete.
2024-05-10 17:32:41 [ERROR ] [configure] /Stage[main]/Foreman::Register/Foreman_host[foreman-satellite.example.com]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired) in get request to: https://satellite.example.com/api/v2/hosts?search=name%3D%22satellite.example.com%22
2024-05-10 17:32:41 [ERROR ] [configure] Wrapped exception:
2024-05-10 17:32:41 [ERROR ] [configure] SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)
2024-05-10 17:32:41 [NOTICE] [configure] 1500 configuration steps out of 1575 steps complete.
2024-05-10 17:32:41 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_host[foreman-proxy-satellite.example.com]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired) in get request to: https://satellite.example.com/api/v2/hosts?search=name%3D%22satellite.example.com%22
2024-05-10 17:32:41 [ERROR ] [configure] Wrapped exception:
2024-05-10 17:32:41 [ERROR ] [configure] SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)
2024-05-10 17:32:41 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[satellite.example.com]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired) in get request to: https://satellite.example.com/api/v2/smart_proxies?search=name%3D%22satellite.example.com%22
2024-05-10 17:32:41 [ERROR ] [configure] Wrapped exception:
2024-05-10 17:32:41 [ERROR ] [configure] SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)
2024-05-10 17:32:44 [NOTICE] [configure] System configuration has finished.
Error 1: Puppet Foreman_host resource 'foreman-satellite.example.com' failed. Logs:
/Stage[main]/Foreman::Register/Foreman_host[foreman-satellite.example.com]
Adding autorequire relationship with Anchor[foreman::service]
Adding autorequire relationship with Anchor[foreman::providers::oauth]
Starting to evaluate the resource (1474 of 1575)
Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired) in get request to: https://satellite.example.com/api/v2/hosts?search=name%3D%22satellite.example.com%22
Wrapped exception:
SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)
Evaluated in 0.01 seconds
Foreman_host[foreman-satellite.example.com](provider=rest_v3)
Making get request to https://satellite.example.com/api/v2/hosts?search=name%3D%22satellite.example.com%22
Error 2: Puppet Foreman_host resource 'foreman-proxy-satellite.example.com' failed. Logs:
/Stage[main]/Foreman_proxy::Register/Foreman_host[foreman-proxy-satellite.example.com]
Adding autorequire relationship with Anchor[foreman::service]
Adding autorequire relationship with Anchor[foreman::providers::oauth]
Starting to evaluate the resource (1560 of 1575)
Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired) in get request to: https://satellite.example.com/api/v2/hosts?search=name%3D%22satellite.example.com%22
Wrapped exception:
SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)
Evaluated in 0.01 seconds
Foreman_host[foreman-proxy-satellite.example.com](provider=rest_v3)
Making get request to https://satellite.example.com/api/v2/hosts?search=name%3D%22satellite.example.com%22
Error 3: Puppet Foreman_smartproxy resource 'satellite.example.com' failed. Logs:
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[satellite.example.com]
Adding autorequire relationship with Anchor[foreman::service]
Adding autorequire relationship with Anchor[foreman::providers::oauth]
Starting to evaluate the resource (1562 of 1575)
Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired) in get request to: https://satellite.example.com/api/v2/smart_proxies?search=name%3D%22satellite.example.com%22
Wrapped exception:
SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)
Evaluated in 0.01 seconds
Foreman_smartproxy[satellite.example.com](provider=rest_v3)
Making get request to https://satellite.example.com/api/v2/smart_proxies?search=name%3D%22satellite.example.com%22
Expected results:
Installer combination that generated by katello-certs-check should complete successfully.
Additional info:
Full details inside the case 03815974
1. setenforce 0 - no difference
2. # mv /etc/pki/ca-trust/source/anchors/*.crt /root/oldcerts
- satellite-installer --scenario satellite \
--certs-server-cert "/root/satellite_cert/satellite_cert.pem" \
--certs-server-key "/root/satellite_cert/satellite_cert_key.pem" \
--certs-server-ca-cert "/root/satellite_cert/ca_cert_bundle.pem" \
--certs-update-server --certs-update-server-ca
- no difference
3. certs-update-all
- satellite-installer --scenario satellite \
--certs-server-cert "/root/satellite_cert/satellite_cert.pem" \
--certs-server-key "/root/satellite_cert/satellite_cert_key.pem" \
--certs-server-ca-cert "/root/satellite_cert/ca_cert_bundle.pem" \
--certs-update-all --certs-update-server-ca
- also no difference
- duplicates
-
SAT-16256 katello-certs-check will pass, even if the bundle is expired
-
- Backlog
-
- external trackers