Bug 1032849
Summary: | lmi command fails with certificate error | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Russell Doty <rdoty> | ||||
Component: | tog-pegasus | Assignee: | Stephen Gallagher <sgallagh> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 22 | CC: | agk, hamzy, miminar, sgallagh, tsmetana, vcrhonek | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2016-06-07 13:46:16 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1041555 | ||||||
Attachments: |
|
Description
Russell Doty
2013-11-21 02:31:35 UTC
Command works when used with the noverify option: $ lmi -n hwinfo username: root password: Hostname: localhost Chassis Type: Desktop Manufacturer: Gigabyte Technology Co., Ltd. Model: (GA-MA78GM-S2H) Serial Number: Not Specified Asset Tag: 0 CPU: AMD Phenom(tm) 9550 Quad-Core Processor Topology: 1 cpu(s), 1 core(s), 1 thread(s) Max Freq: 3000 MHz Arch: x86_64 Memory: 4 GB Slots: 2 used, 4 total This is odd, as I had configured the SSL certificates using the instructions at http://www.openlmi.org/PegasusSSL. How do you check certificate status? The command should return a message that the SSL certificate is not properly configured rather than failing with a file not found message. If selinux is in enforcing mode the lmi command fails: When run as regular user: ]$ lmi -n hwinfo username: root password: ERROR: invocation failed for host "https://localhost": 'NoneType' object has no attribute 'ChassisPackageType' There was 1 error: host https://localhost (AttributeError) 'NoneType' object has no attribute 'ChassisPackageType' [rdoty@localhost ~]$ lmi hwinfo username: root password: ERROR: invocation failed for host "https://localhost": 'NoneType' object has no attribute 'ChassisPackageType' There was 1 error: host https://localhost (AttributeError) 'NoneType' object has no attribute 'ChassisPackageType' When run as root: ]$ su Password: [root@localhost rdoty]# lmi hwinfo ERROR: invocation failed for host "https://localhost": (1, u'CIM_ERR_FAILED: File "libComputerSystemProvider.so" was not found for provider module "ComputerSystemModule".') There was 1 error: host https://localhost CIM_ERR_FAILED: File "libComputerSystemProvider.so" was not found for provider module "ComputerSystemModule".: [root@localhost rdoty]# lmi -n hwinfo ERROR: invocation failed for host "https://localhost": (1, u'CIM_ERR_FAILED: File "libComputerSystemProvider.so" was not found for provider module "ComputerSystemModule".') There was 1 error: host https://localhost CIM_ERR_FAILED: File "libComputerSystemProvider.so" was not found for provider module "ComputerSystemModule".: Filed bug #1033027 against the SELinux policy to fix the AVC denials. I don't have any answers to the certificate verification problem yet. Re-purposing this ticket to focus on the certificate problems faced by the local testing user. What we want to do is to have the self-signed certificate trusted for use with the local system. Created attachment 836377 [details] Patch to generate a mini-CA and save that CA to the shared trust store With this patch (submitted upstream at http://bugzilla.openpegasus.org/show_bug.cgi?id=9831) we will generate a single-use CA certificate and a service certificate for Pegasus. We will sign the service certificate and then discard the private key for the CA certificate (ensuring that it cannot be used to sign anything else). We will then copy the mini-CA into the shared certificate store. This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle. Changing version to '22'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22 Comment on attachment 836377 [details]
Patch to generate a mini-CA and save that CA to the shared trust store
Clearing review flag.
|