Project

General

Profile

Actions
Copy link

Bug #31574

closed

The Artemis client certificate is not updated in truststore if it changes

Added by Eric Helms over 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Eric Helms
Category:
Foreman modules
Target version:
Foreman - 2.5.0
Difficulty:
Triaged:
Yes
Bugzilla link:
1951662
Pull request:
https://github.com/theforeman/puppet-certs/pull/320, https://github.com/theforeman/puppet-certs/pull/323
Fixed in Releases:
Foreman - 2.5.0
Found in Releases:
Red Hat JIRA:

Description

The java-client cert and key in /etc/pki/katello are correctly updated, and are a valid pair =>

[root@dhcp-2-190 certs]# openssl x509 -noout -modulus -in java-client.crt | openssl md5
(stdin)= d74483a4ae79b6b2a6ea09afe1b21095
[root@dhcp-2-190 certs]# openssl rsa -noout -modulus -in ../private/java-client.key | openssl md5
(stdin)= d74483a4ae79b6b2a6ea09afe1b21095

However, candlepin's truststore doesn't know about the new java-client.crt (called 'artemis-client' in the store) =>

[root@dhcp-2-190 certs]# keytool -list -keystore truststore
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 2 entries

artemis-client, Dec 10, 2020, trustedCertEntry,
Certificate fingerprint (SHA1): 17:91:F0:47:4C:18:8B:19:57:49:D3:4C:1E:05:38:D9:59:66:82:3B

Compare that fingerprint to /etc/pki/katello/certs/java-client.crt =>

[root@dhcp-2-190 certs]# openssl x509 -noout -fingerprint -sha1 -inform pem -in java-client.crt
SHA1 Fingerprint=2C:E3:3C:D1:B3:A5:01:EF:B7:5E:00:5D:6B:87:DF:6B:CA:28:A3:56

They should match, but don't

Actions
Copy link

Also available in: Atom PDF