Unable to change ssl certificate

Overlord · January 13, 2023, 7:33am

Problem:
initially, a self-signed ssl certificate was installed on the server. Now there is a need to change it to an organization certificate. To do this, I requested an intermediate CA from my organization, issued a katello certificate, signing it with an intermediate certificate. The problem is that when passing the check, an error is detected in one of the items

[root@foreman]# katello-certs-check -c katello.crt -k frmkey.pem  -b frmCA.cer
Checking server certificate encoding:
[OK]

Checking expiration of certificate:
[OK]

Checking expiration of CA bundle:
[OK]

Checking if server certificate has CA:TRUE flag
[OK]

Checking for private key passphrase:
[OK]

Checking to see if the private key matches the certificate:
[OK]

Checking CA bundle against the certificate file:
[FAIL]

The /opt/frmCA.cer does not verify the /opt/katello.crt
C = RU, ST = City, L = City, O = home, OU = IT, CN = foreman.my.ru
error 18 at 0 depth lookup: self signed certificate
error /opt/katello.crt: verification failed

Checking CA bundle size: 1
[OK]

Checking Subject Alt Name on certificate
[OK]

Checking if any Subject Alt Name on certificate matches the Subject CN
[OK]

Checking Key Usage extension on certificate for Key Encipherment
[OK]

Checking for use of shortname as CN
[OK]

Expected outcome:
successful completion of verification
Foreman and Proxy versions:
foreman 3.4
Foreman and Proxy plugin versions:
katello 4.6
Distribution and version:

Other relevant data:

gvde · January 13, 2023, 9:10am

As the error message tells you: the certificate in katello.crt cannot be verified against the CA chain in frmCA.cer.

Run

$ openssl verify -CAfile /opt/frmCA.cer -purpose sslserver -verbose /opt/katello.crt

and make sure this succeeds.

Overlord · January 13, 2023, 9:18am

The same mistake…
error 18 at 0 depth lookup: self signed certificate
error katello.crt: verification failed

What could I have done wrong?

gvde · January 13, 2023, 9:30am

The openssl command is the command the script executes at the point of error. That’s why I posted it so you can test the certificate without running the whole script.

As the error says: the certificate in katello.crt is self signed. It has not been issued by the CA chain certs in frmCA.cer.

Overlord · January 13, 2023, 9:54am

I received a RootCA certificate from my organization, and with the help of it I signed the katello certificate, isn’t that right?

gvde · January 13, 2023, 10:04am

I thought you have got a intermediate CA, not a root CA. What is it?

But either way: according to the error message the server certificate in katello.crt is self signed, i.e. it’s NOT signed by any CA but only by itself…

# openssl x509 -in katello.crt -noout -issuer -subject

should show you.