No, you were right after all. The CA certs (/etc/pki/katello/certs/katello-server-ca.crt and /etc/pki/katello/puppet/puppet_client_ca.crt – two copies of the same file) have multiple certs in them. When you split them out and check them all, there’s one that is RSA1. Once I removed the RSA1 cert and rebooted the reports started coming in again.
I have noticed the same error. /etc/pki/katello/certs/katello-server-ca.crt
and /etc/pki/katello/puppet/puppet_client_ca.crt
both contain the full chain of our custom certificate. This includes the root ca certificate which in our case is
/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
which has
Signature Algorithm: sha1WithRSAEncryption
But as far as I understand, sha1 for a root ca is acceptable because the signature is not really relevant.
So, now I could either remove the root ca from our ca chain which I pass to foreman-installer in --certs-server-ca-cert
or enable SHA1 for the time being. But if I am not mistaken, the root ca should be passed certs-server-ca-cert
for pinning. So far, it seems to me as if only puppetserver complains about the sha1 root ca.
Running the following fixed it for me:
update-crypto-policies --set LEGACY
reboot
Please do not do that. Do not suggest that as “fix”. It is very bad advice. It’s a temporary workaround at best and it’s not necessary either, because DEFAULT:SHA1 would suffice to allow SHA1 again.
Your “fix” allows all legacy encryption for all encryption on your system. That has serious implications and shouldn’t be done lightly.
So if anything, you could do
# update-crypto-policies --set DEFAULT:SHA1
to temporarily allow the SHA1 signatures until the bug has been fixed.
But again: it’s not a fix! It’s a temporary workaround which should be undone once the bug has been fixed.
If you post something like this, there will always be people who simply follow without understanding what they do and they will never even know the potential security implications it has…
DEFAULT:SHA1
didn’t work for me previously, but it does now. thanks!
This change normally needs a reboot maybe because of that
You can simply restart all foreman services
# foreman-maintain service restart
or in this case simply the puppetserver.
# systemctl restart puppetserver.service
That is enough. Only the puppetserver must know about the new setting. Everything else doesn’t bother anyway.
We fixed it with a custom Policy on our Puppetserver:
hash@java-tls = SHA1+
sign@java-tls = ECDSA-SHA1+ RSA-PSS-SHA1+ RSA-SHA1+
This enables SHA1 only for Java.