Skip to content

Fixes #39446 - Reject non-PEM content in katello-certs-check#1062

Open
Satellite-RedHat wants to merge 1 commit into
theforeman:developfrom
Satellite-RedHat:fixes-39446-reject-non-pem-cert-content
Open

Fixes #39446 - Reject non-PEM content in katello-certs-check#1062
Satellite-RedHat wants to merge 1 commit into
theforeman:developfrom
Satellite-RedHat:fixes-39446-reject-non-pem-cert-content

Conversation

@Satellite-RedHat

@Satellite-RedHat Satellite-RedHat commented Jun 24, 2026
edited
Loading

Copy link
Copy Markdown

Certificate files exported from PKCS#12/PFX bundles may contain OpenSSL metadata between PEM blocks that Pulp rejects at sync time. Add an early PEM structure check for the server cert and CA bundle.

Summary

  • Add check-pem-content to reject certificate files with content outside PEM CERTIFICATE blocks (e.g. PKCS#12 Bag Attributes from Windows PFX exports)
  • Add test fixture and RSpec coverage
  • Prevents Pulp sync failures: Must be PEM encoded X.509 certificate

Related issues

@cursoragent
Fixes #39446 - Reject non-PEM content in katello-certs-check
afc1c49 
Certificate files exported from PKCS#12/PFX bundles may contain
OpenSSL metadata between PEM blocks that Pulp rejects at sync time.
Add an early PEM structure check for the server cert and CA bundle.

Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Not yet reviewed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Satellite-RedHat