Bug 1169289
| Summary: | [RFE] validate custom certificates before Satellite 6 installation | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Ivan Necas <inecas> | ||||
| Component: | Installation | Assignee: | Ivan Necas <inecas> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Katello QA List <katello-qa-list> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 6.0.4 | CC: | bbuckingham, bkearney, cwelton, inecas, jmontleo, ktordeur, mmccune, pmoravec, sghai, stbenjam, sthirugn, wlehman, xdmoon | ||||
| Target Milestone: | Unspecified | Keywords: | FutureFeature, Reopened, Triaged | ||||
| Target Release: | Unused | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| URL: | http://projects.theforeman.org/issues/8609 | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Enhancement | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2016-07-29 14:17:00 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Ivan Necas
2014-12-01 09:21:50 UTC
Can this be a tool we deliver with satellite that can be run and we document the use of the tool? Created redmine issue http://projects.theforeman.org/issues/8609 from this bug Proposed solution at https://bugzilla.redhat.com/show_bug.cgi?id=1169289, the script https://github.com/iNecas/katello-installer/blob/issue/8609/bin/katello-certs-check can be used separately for on-site certs investigation Ivan can you please provide more information about the steps required to verify this bug? I'm looking for steps to produce a success and a failure output from katello-certs-check script. This in order to make sure that it is working fine. Thank you Created attachment 1012176 [details]
A set of test certificates for testing
To test the functionality one should follow the documentated steps for setting up custom certs https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.0/html/Installation_Guide/sect-Red_Hat_Satellite-Installation_Guide-Configuring_RednbspHat_Satellite_with_a_Custom_Server_Certificate.html I've attaches a set of certs one can check. In the failed case, the installation should fail pretty soon, before proceeding to the installation itself (even the progressbar should not be shown). For the success case, it should proceed to the installation (you might get errors later as the fqdn in the certs are not matching the hostname, but that's outside of the scope of this change. To explain how the example certificates were prepared: the invalid.example.com is a valid set of certificates but was issued by a different ca, so the ca cert doesn't match it. This matrix checks, that invalid ca, or key is caught. | ca-cert | cert | key | req | result | | cacert.crt | katello.example.com.crt | katello.example.com.key | katello.example.com.crt.req | OK | | cacert.crt | invalid.example.com.crt | katello.example.com.key | katello.example.com.crt.req | FAIL | | cacert.crt | katello.example.com.crt | invalid.example.com.key | katello.example.com.crt.req | FAIL | | cacert.crt | invalid.example.com.crt | invalid.example.com.key | katello.example.com.crt.req | FAIL | FAILEDQA: # rpm -qa | grep foreman foreman-compute-1.7.2.26-1.el6_6sat.noarch ruby193-rubygem-foreman-redhat_access-0.1.0-1.el6_6sat.noarch rubygem-hammer_cli_foreman-0.1.4.13-1.el6_6sat.noarch foreman-vmware-1.7.2.26-1.el6_6sat.noarch ruby193-rubygem-foreman_bootdisk-4.0.2.13-1.el6_6sat.noarch ruby193-rubygem-foreman_gutterball-0.0.1.9-1.el6_6sat.noarch foreman-postgresql-1.7.2.26-1.el6_6sat.noarch foreman-libvirt-1.7.2.26-1.el6_6sat.noarch ruby193-rubygem-foreman-tasks-0.6.12.7-1.el6_6sat.noarch rubygem-hammer_cli_foreman_bootdisk-0.1.2.7-1.el6_6sat.noarch rubygem-hammer_cli_foreman_docker-0.0.3.6-1.el6_6sat.noarch foreman-selinux-1.7.2.13-1.el6_6sat.noarch foreman-debug-1.7.2.26-1.el6_6sat.noarch foreman-ovirt-1.7.2.26-1.el6_6sat.noarch foreman-gce-1.7.2.26-1.el6_6sat.noarch ruby193-rubygem-foreman_discovery-2.0.0.15-1.el6_6sat.noarch foreman-proxy-1.7.2.5-1.el6_6sat.noarch rubygem-hammer_cli_foreman_tasks-0.0.3.4-1.el6_6sat.noarch intel-s3e3432-01.rhts.eng.bos.redhat.com-foreman-proxy-client-1.0-1.noarch intel-s3e3432-01.rhts.eng.bos.redhat.com-foreman-proxy-1.0-2.noarch ruby193-rubygem-foreman_docker-1.2.0.14-1.el6_6sat.noarch intel-s3e3432-01.rhts.eng.bos.redhat.com-foreman-client-1.0-1.noarch foreman-1.7.2.26-1.el6_6sat.noarch ruby193-rubygem-foreman_hooks-0.3.7-2.el6_6sat.noarch rubygem-hammer_cli_foreman_discovery-0.0.1.10-1.el6_6sat.noarch steps # katello-installer --certs-server-cert /root/ownca/intel-s3e3432-01.rhts.eng.bos.redhat.com/intel-s3e3432-01.rhts.eng.bos.redhat.com.crt --certs-server-cert-req /root/ownca/intel-s3e3432-01.rhts.eng.bos.redhat.com/intel-s3e3432-01.rhts.eng.bos.redhat.com.crt.req --certs-server-key /root/ownca/intel-s3e3432-01.rhts.eng.bos.redhat.com/intel-s3e3432-01.rhts.eng.bos.redhat.com.key --certs-server-ca-cert /root/ownca/cacert.crt --certs-update-server --certs-update-server-ca Marking certificate /root/ssl-build/intel-s3e3432-01.rhts.eng.bos.redhat.com/intel-s3e3432-01.rhts.eng.bos.redhat.com-apache for update Marking certificate /root/ssl-build/intel-s3e3432-01.rhts.eng.bos.redhat.com/intel-s3e3432-01.rhts.eng.bos.redhat.com-foreman-proxy for update Marking certificate /root/ssl-build/katello-server-ca for update /Stage[main]/Apache::Service/Service[httpd]: Failed to call refresh: Could not start Service[httpd]: Execution of '/sbin/service httpd start' returned 1: Starting httpd: [FAILED] /Stage[main]/Apache::Service/Service[httpd]: Could not start Service[httpd]: Execution of '/sbin/service httpd start' returned 1: Starting httpd: [FAILED] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[intel-s3e3432-01.rhts.eng.bos.redhat.com]: Could not evaluate: Connection refused - connect(2) /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[intel-s3e3432-01.rhts.eng.bos.redhat.com]: Failed to call refresh: Connection refused - connect(2) /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[intel-s3e3432-01.rhts.eng.bos.redhat.com]: Connection refused - connect(2) Installing Done [100%] [..................................................................] Something went wrong! Check the log for ERROR-level output The full log is at /var/log/katello-installer/katello-installer.log Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2015:1592 Accidentally closed with 6.1.1 errata Upstream bug assigned to inecas The upstream issue is closed since a year, and the code was included as part of Satellite 6.2's installer. |