Using leapp to upgrade from Rocky 8.10 to Rocky 9

No, you were right after all. The CA certs (/etc/pki/katello/certs/katello-server-ca.crt and /etc/pki/katello/puppet/puppet_client_ca.crt – two copies of the same file) have multiple certs in them. When you split them out and check them all, there’s one that is RSA1. Once I removed the RSA1 cert and rebooted the reports started coming in again.

I have noticed the same error. /etc/pki/katello/certs/katello-server-ca.crt and /etc/pki/katello/puppet/puppet_client_ca.crt both contain the full chain of our custom certificate. This includes the root ca certificate which in our case is

/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services

which has

    Signature Algorithm: sha1WithRSAEncryption

But as far as I understand, sha1 for a root ca is acceptable because the signature is not really relevant.

So, now I could either remove the root ca from our ca chain which I pass to foreman-installer in --certs-server-ca-cert or enable SHA1 for the time being. But if I am not mistaken, the root ca should be passed certs-server-ca-cert for pinning. So far, it seems to me as if only puppetserver complains about the sha1 root ca.

1 Like

Running the following fixed it for me:

update-crypto-policies --set LEGACY
reboot

Please do not do that. Do not suggest that as “fix”. It is very bad advice. It’s a temporary workaround at best and it’s not necessary either, because DEFAULT:SHA1 would suffice to allow SHA1 again.

Your “fix” allows all legacy encryption for all encryption on your system. That has serious implications and shouldn’t be done lightly.

So if anything, you could do

# update-crypto-policies --set DEFAULT:SHA1

to temporarily allow the SHA1 signatures until the bug has been fixed.

But again: it’s not a fix! It’s a temporary workaround which should be undone once the bug has been fixed.

If you post something like this, there will always be people who simply follow without understanding what they do and they will never even know the potential security implications it has…

1 Like

DEFAULT:SHA1 didn’t work for me previously, but it does now. thanks!

This change normally needs a reboot maybe because of that :slightly_smiling_face:

You can simply restart all foreman services

# foreman-maintain service restart

or in this case simply the puppetserver.

# systemctl restart puppetserver.service

That is enough. Only the puppetserver must know about the new setting. Everything else doesn’t bother anyway.

1 Like

We fixed it with a custom Policy on our Puppetserver:

hash@java-tls = SHA1+
sign@java-tls = ECDSA-SHA1+ RSA-PSS-SHA1+ RSA-SHA1+

This enables SHA1 only for Java.