Bug #37063
closed
Add feature in katello-certs-check to verify if CA bundle has any certificates with trust rules
Description
Description of problem:
Trust rules on a certificate indicate what are the accepted uses for it. Some users may have a CA bundle where one of the certificates includes trust rules (maybe incorrectly).
The default validation done by katello-certs-check does not complain about it. The bundle can be used without problems on Satellite 6.14+ but fails on 6.13 (at least, didn't check older versions).
Also, when thinking about clients of Satellite, RHEL8+ can trust the bundle that contains trust rules but RHEL7 will have problems (when using libcurl) trusting that.
So, accepting a bundle like this will potentially break the Satellite installation (foreman-proxy is the component failing on 6.13 when using it) and also break the access to Satellite for RHEL7 hosts.
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
1. Have a CA certificate and add a trust rule to it:
~~
openssl x509 -in ca_cert.pem -addtrust serverAuth -out ca_trust_rule.pem
~~
2. Check with katello-certs-check and there will be no complaints about it.
Actual results:
katello-certs-check does not complaint about having a CA bundle in a format that may break satellite and/or client access to satellite
Expected results:
katello-certs-check should point that there is an issue with the bundle
Additional info:
Updated by The Foreman Bot 4 months ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman-installer/pull/909 added
Updated by Joniel Pasqualetto about 1 month ago
- Status changed from Ready For Testing to Closed
Applied in changeset installer|931b6fcd9c583c9ede62373a09c7b4e9ca85b0c4.