-
Bug
-
Resolution: Done-Errata
-
Major
-
6.16.0
Description of problem:
Trying to upgrade to Satellite 6.16 when a CA using SHA1 digest algorithm is used (internal CA or part of the bundle for custom certs) fails regardless of the crytpo-policy of the system.
How reproducible:
Always
Is this issue a regression from an earlier version:
yes
Steps to Reproduce:
1. Setup a satellite 6.16 (on RHEL8)
2. Create a CA/certificate that uses sha1 (like below):
# openssl x509 -noout -text -in /root/weak_ca/sha1/ca.crt |grep Algo Signature Algorithm: sha1WithRSAEncryption Public Key Algorithm: rsaEncryption Signature Algorithm: sha1WithRSAEncryption
3. Try deploy custom certs generated by this CA and see the error:
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[satellite.example.com] Adding autorequire relationship with Anchor[foreman::service] Adding autorequire relationship with Anchor[foreman::providers::oauth] Starting to evaluate the resource (3113 of 3141) Could not evaluate: Exception SSL_connect returned=1 errno=0 peeraddr=192.168.110.100:443 state=error: certificate verify failed (CA signature digest algorithm too weak) in get request to: https://satellite.example.com/api/v2/smart_proxies?search=name%3D%22satellite.example.com%22 Wrapped exception: SSL_connect returned=1 errno=0 peeraddr=192.168.110.100:443 state=error: certificate verify failed (CA signature digest algorithm too weak) Evaluated in 0.00 seconds Foreman_smartproxy[satellite.example.com](provider=rest_v3) Making get request to https://satellite.example.com/api/v2/smart_proxies?search=name%3D%22satellite.example.com%22
Actual behavior:
satellite-installer fails
Expected behavior:
when crypto-policy allows, normal usage of the certificates
Business Impact / Additional info:
This can be a blocker for old customer that have their internal CAs using sha1. Custom certs that include some sha1 signed certs will also be impacted.
Problem appears to come from the curl include in puppet-agent.
~~~ # /opt/puppetlabs/puppet/bin/curl https://$(hostname -f)/rhsm/status --cacert /root/weak_ca/sha1/ca.crt curl: (60) SSL certificate problem: CA signature digest algorithm too weak More details here: https://curl.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. ~~~ using curl from the OS it works: ~~~ # /usr/bin/curl https://$(hostname -f)/rhsm/status --cacert /root/weak_ca/sha1/ca.crt {"mode":"NORMAL","modeReason":null,"modeChangeTime":null,"result":true,"version":"4.4.16","release":"1","standalone":true,"timeUTC":"2024-11-08T22:04:01+0000","rulesSource":"database","rulesVersion":"5.44","managerCapabilities":["instance_multiplier","derived_product","vcpu","cert_v3","hypervisors_heartbeat","remove_by_pool_id","syspurpose","storage_band","cores","multi_environment","hypervisors_async","org_level_content_access","typed_environments","guest_limit","ram","batch_bind","combined_reporting"],"keycloakRealm":null,"keycloakAuthUrl":null,"keycloakResource":null,"deviceAuthRealm":null,"deviceAuthUrl":null,"deviceAuthClientId":null,"deviceAuthScope":null}[ ~~~
- clones
-
SAT-29322 Satellite 6.16 fails with CA signature digest algorithm too weak regardless of crypto-policy
- In Progress
- depends on
-
SAT-29989 Release 1.7.9 by ehelms · Pull Request #961 · theforeman/foreman_maintain · GitHub
- Closed
- links to
-
RHSA-2024:144053 Satellite 6.16.1 Async Update