-
Notifications
You must be signed in to change notification settings - Fork 58
fixes #22196 - configure hammer SSL CA certificate bundle #574
Conversation
Issues: #22196 |
@@ -0,0 +1,5 @@ | |||
if answers['foreman::cli'].is_a? Hash # If user has already specified options, set the SSL CA file | |||
answers['foreman::cli']['ssl_ca_file'] = '/etc/pki/katello/certs/katello-server-ca.crt' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if it would be a good practice to extract this from the certs answers or if that'd create more problems because it might not be available yet.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did Kafo change? foreman::cli is at the top level of the installer, so I think it has to be. The certs are hardcoded like this for all the modules :-(
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It didn't, but I wondered if we could use answers to get this value and reduce duplication. Looks like it's done in code (https://github.com/theforeman/puppet-certs/blob/60fad4d1057fca79b718c43d16d633be75e3d42d/manifests/init.pp#L110) so it's not going to work anyway.
@mbacovsky mentioned theforeman/puppet-foreman@58f1911 should fix this already. |
Oh I missed that. But, it picks the wrong cert anyway when using custom certs. default-ca is the katello-generated CA, and server-ca is the one from custom certs. This is what it produces without this PR:
Because of how we have answers set:
Can we reverse the CA and Chain? I'm honestly not sure how this works, I think we take the custom certs they provide and then sign them with the Katello generated CA. @ehelms would know |
I don't mind if we reverse them, that shouldn't have an affect since both are checked. I think the current setting is technically correct though. According to Apache Whereas the server_ssl_ca is for CAs of the clients with whom you deal with and our client certificates (e.g. rhsm) are signed by the default-ca. |
@stbenjam I think you're right that we should be preferring the chain since that's everything CA does + allows client certification authentication. See https://stackoverflow.com/a/5543737 |
@ekohl So do you think Foreman should send the CA chain to hammer instead (if there is one)? |
Agreed with the chain file -- it signed the server certificates and hammer is wanting to verify the server. |
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#SSLCertificateChainFile is not that clear to me, but I think it supports that we should reverse the order:
|
I don't think so, whatever CA we put in That means for example, in the case of a corp with a PKI that issues client certificates to users too, they'll be able to authenticate to the Foreman with those certificates and it may not be desired. Worse, any client certificate from a large commercial CA would be acceptable in the case of something signed by Symantec. |
I think we just want to do this? https://github.com/theforeman/puppet-foreman/compare/master...stbenjam:22196?expand=1 |
I agree with @stbenjam here. the Chain file should be the CA (or chain of CAs) that signed the server certificates. |
@stbenjam yes, I think it could be that simple. |
I've opened PR's to reverse this and with the alternate fix to puppet-foreman. Sorry for the mess of PR's here, but I think this ends up being a better solution. Less hard coded paths in the answers file is better. |
No description provided.