Refs #28924: Drop amqp key and truststore + generate Artemis client certs

[ehelms]

No description provided.

[ekohl]

I think we should ensure it's absent to clean up after ourselves, but I don't recall if we can ensure directories are absent in Puppet.

[ehelms]

I wondered about that. Should the puppet module clean this up or installer post install task clean this up?

[ekohl]

Normally I'd say Puppet but if Puppet can't clean up directories with the file type then I'm ok with a post install task rather than an exec here.

[ehelms]

From my googling you can do a regular file set to absent with recursive set to true. This just doesn't feel as clean. That weird line where sometimes we cleanup in the puppet module and sometimes we use the puppet module to simply represent the state and the installer does cleanup. I thought we were universally doing the latter. Its hard to know which way to go.

[jturel]

Seeing this:

[ WARN 2020-03-09T18:11:46 verbose]  Unknown variable: 'artemis_keystore'. (file: /usr/share/foreman-installer/modules/certs/manifests/candlepin.
pp, line: 128, column: 200)

So the subsequent keytool command fails since -destkeystore is missing

[jturel]

@ehelms just pinging to ensure you saw my last update 🏓

[ekohl]

ACK, leaving it open so it can be merged together with the candlepin change.

[jturel]

I did some testing and was able to connect with SSL client auth from Katello to Artemis.

I basically followed the steps here, extracted the client cert+key from the stores, and used them to connect. Seems like we should be able to approximate that here, and let me know if I can provide any more detail.

[ehelms]

@jturel Apologies, I'm not following what the action item is regarding server and client keystores.

[jturel]

@jturel Apologies, I'm not following what the action item is regarding server and client keystores.

I need my own clarification then :)

The artemis_client entry you've added to the keystore: what is the purpose of that? Is it for Katello to use? If so, I suppose we'll need puppet-katello to extract the cert and key in PEM format in order to connect to the broker.

Or is it for Candlepin to use? If so, Candlepin is connecting directly to the embedded artemis without SSL since it's running within the same JVM which means it's not necessary, unless you're thinking forward to candlepin connecting to an external Artemis

[ehelms]

Ahh yes. This client certificate is being added to the keystore/truststore so that it can be used by Katello. The client certificate is already deployed to the system in a place that Katello can consume it. This change is just ensuring its in the truststore. We abuse keystore/truststore by creating one and using it for both.

/etc/pki/katello/certs/java-client.crt
/etc/pki/katello/private/java-client.key

[jturel]

I think the CN should be $hostname rather than $cname

[ehelms]

To be safe, I think this is correct. See https://github.com/theforeman/puppet-certs/pull/275/files#diff-0a129cc5a540f220caade2da4fc3229bR37

[jturel]

Hmm, well here's the contents of the file:

katelloUser=C=Raleigh, ST=North Carolina, O=candlepin, OU=SomeOrgUnit, CN=[]

Hard to discern what you wanted me to see at that URL..

[ehelms]

Ohh, yea, I see now how this gets handled.

[ehelms]

Updated to hostname, I forget cname is additional cnames to add.

[ekohl]

In SSL you have Common Name (cn) and subject Alternative Name (subjectAltName). cname is DNS terminology.

[jturel]

It actually seems like the order of these matters.... (most specific -> least specific?)

Should be like this: CN=localhost, OU=SomeOrgUnit, O=candlepin, ST=North Carolina, C=US

Note also that C is country, not city

[ehelms]

Ahh yea, sorry you are right on the country.

I modeled this off of "C=US, ST=North Carolina, O=candlepin, OU=SomeOrgUnit, CN=dhcp-8-29-228.lab.eng.rdu2.redhat.com"

openssl x509 -noout -text -in /etc/pki/katello/certs/java-client.crt

[jturel]

All good. When I re-order them in login.config it prevents Katello from connecting with an auth failure 🤷

[jturel]

ACK. works in prod and dev.