Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-29322

Satellite 6.16 fails with CA signature digest algorithm too weak regardless of crypto-policy

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False
    • 0
    • Yes

      Description of problem:

      Trying to upgrade to Satellite 6.16 when a CA using SHA1 digest algorithm is used (internal CA or part of the bundle for custom certs) fails regardless of the crytpo-policy of the system.

      How reproducible:

      Always

      Is this issue a regression from an earlier version:

      yes

      Steps to Reproduce:

      1. Setup a satellite 6.16 (on RHEL8)

      2. Create a CA/certificate that uses sha1 (like below):

      # openssl x509 -noout -text -in /root/weak_ca/sha1/ca.crt |grep Algo
        Signature Algorithm: sha1WithRSAEncryption
            Public Key Algorithm: rsaEncryption
    Signature Algorithm: sha1WithRSAEncryption

      3. Try deploy custom certs generated by this CA and see the error:

        /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[satellite.example.com]
    Adding autorequire relationship with Anchor[foreman::service]
    Adding autorequire relationship with Anchor[foreman::providers::oauth]
    Starting to evaluate the resource (3113 of 3141)
    Could not evaluate: Exception SSL_connect returned=1 errno=0 peeraddr=192.168.110.100:443 state=error: certificate verify failed (CA signature digest algorithm too weak) in get request to: https://satellite.example.com/api/v2/smart_proxies?search=name%3D%22satellite.example.com%22
Wrapped exception:
SSL_connect returned=1 errno=0 peeraddr=192.168.110.100:443 state=error: certificate verify failed (CA signature digest algorithm too weak)
    Evaluated in 0.00 seconds
  Foreman_smartproxy[satellite.example.com](provider=rest_v3)
    Making get request to https://satellite.example.com/api/v2/smart_proxies?search=name%3D%22satellite.example.com%22

       

      Actual behavior:
      satellite-installer fails

      Expected behavior:
      when crypto-policy allows, normal usage of the certificates

      Business Impact / Additional info:

      This can be a blocker for old customer that have their internal CAs using sha1. Custom certs that include some sha1 signed certs will also be impacted.

      Problem appears to come from the curl include in puppet-agent. 

      ~~~
# /opt/puppetlabs/puppet/bin/curl https://$(hostname -f)/rhsm/status --cacert /root/weak_ca/sha1/ca.crt 
curl: (60) SSL certificate problem: CA signature digest algorithm too weak
More details here: https://curl.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
~~~

using curl from the OS it works:

~~~
# /usr/bin/curl https://$(hostname -f)/rhsm/status --cacert /root/weak_ca/sha1/ca.crt 
{"mode":"NORMAL","modeReason":null,"modeChangeTime":null,"result":true,"version":"4.4.16","release":"1","standalone":true,"timeUTC":"2024-11-08T22:04:01+0000","rulesSource":"database","rulesVersion":"5.44","managerCapabilities":["instance_multiplier","derived_product","vcpu","cert_v3","hypervisors_heartbeat","remove_by_pool_id","syspurpose","storage_band","cores","multi_environment","hypervisors_async","org_level_content_access","typed_environments","guest_limit","ram","batch_bind","combined_reporting"],"keycloakRealm":null,"keycloakAuthUrl":null,"keycloakResource":null,"deviceAuthRealm":null,"deviceAuthUrl":null,"deviceAuthClientId":null,"deviceAuthScope":null}[
~~~

              Unassigned Unassigned
              rhn-support-jpasqual Joniel Pasqualetto
              Votes:
              2 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: