Using external ssl certificate

sabarees08 · March 30, 2023, 5:54am

Problem:
There is an issue when trying to use external certificate.
When using katello-cert-check command ,

[root@satellite-server SSL-CERT]# katello-certs-check -c fullchain.crt -k privatekey -b CSR
Checking server certificate encoding:
[OK]

unable to load certificate
140677509474112:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
date: invalid date ‘+%Y%m%d%H%M%S’
Checking expiration of certificate:
[OK]

Checking expiration of CA bundle:
[FAIL]

The CA bundle "/root/SSL-CERT/CSR" has already expired on:
Checking if server certificate has CA:TRUE flag
[OK]

Checking for private key passphrase:
[OK]

Checking to see if the private key matches the certificate:
[OK]

Checking CA bundle against the certificate file:
[FAIL]

The /root/SSL-CERT/CSR does not verify the /root/SSL-CERT/fullchain.crt
Error loading file /root/SSL-CERT/CSR

Checking CA bundle size: 1
[OK]

Checking Subject Alt Name on certificate
[OK]

Checking if any Subject Alt Name on certificate matches the Subject CN
[OK]

Checking Key Usage extension on certificate for Key Encipherment
[OK]

Checking for use of shortname as CN
[OK]

Expected outcome:
Use external SSL Certificate in the server.
Foreman and Proxy versions:
Foreman 3.5 and Katello 4.7
Distribution and version:
Rocky Linux release 8.7 (Green Obsidian)
Other relevant data:
When running foreman-installer command:

[root@satellite-server SSL-CERT]# foreman-installer --scenario katello --certs-server-cert "fullchain.crt" --certs-server-key "privatekey" --certs-server-ca-cert "CSR" --certs-update-server --
certs-update-server-ca
2023-03-30 01:52:44 [NOTICE] [root] Loading installer configuration. This will take some time.
2023-03-30 01:52:47 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
2023-03-30 01:52:47 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
2023-03-30 01:52:49 [ERROR ] [root] Parameter certs-server-cert invalid: fullchain.crt is not one of regexes matching /\A(([a-zA-Z]:[\\\/])|([\\\/][\\\/][^\\\/]+[\\\/][^\\\/]+)|([\\\/][\\\/]\?
[\\\/][^\\\/]+)).*\z/ or regexes matching /\A\/([^\n\/\0]+\/*)*\z/
2023-03-30 01:52:49 [ERROR ] [root] Parameter certs-server-key invalid: privatekey is not one of regexes matching /\A(([a-zA-Z]:[\\\/])|([\\\/][\\\/][^\\\/]+[\\\/][^\\\/]+)|([\\\/][\\\/]\?[\\\
/][^\\\/]+)).*\z/ or regexes matching /\A\/([^\n\/\0]+\/*)*\z/
2023-03-30 01:52:49 [ERROR ] [root] Parameter certs-server-ca-cert invalid: CSR is not one of regexes matching /\A(([a-zA-Z]:[\\\/])|([\\\/][\\\/][^\\\/]+[\\\/][^\\\/]+)|([\\\/][\\\/]\?[\\\/][
^\\\/]+)).*\z/ or regexes matching /\A\/([^\n\/\0]+\/*)*\z/
Error during configuration, exiting

The same issue comes when trying to use external certificate while fresh install and post-install of foreman.

gvde · March 30, 2023, 6:34am

Check the usage of katello-certs-check:

# katello-certs-check 
One of the required parameters is missing.
Verifies, that custom SSL certificate files are usable
as part of the Katello installation. When passing filenames use absolute paths.

usage: /sbin/katello-certs-check -t [foreman|foreman-proxy] -c CERT_FILE -k KEY_FILE -b CA_BUNDLE_FILE

CERT_FILE is the certificate in PEM format.
KEY_FILE is the private key in PEM format.
CA_BUNDLE_FILE is the full CA chain for the certificate including the root CA.

Without knowing the content of your files fullchain.crt sounds a lot like it is not only the certificate but includes the chain, CSR sounds more like a certificate signing request than a ca chain.