Bug 1198741

Summary: Capsule: cannot browse /pub using both http and https
Product: Red Hat Satellite Reporter: Corey Welton <cwelton>
Component: Foreman ProxyAssignee: Eric Helms <ehelms>
Status: CLOSED CURRENTRELEASE QA Contact: Corey Welton <cwelton>
Severity: high Docs Contact:
Priority: unspecified    
Version: UnspecifiedCC: bbuckingham, bkearney
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/9816
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-12 13:56:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Corey Welton 2015-03-04 17:50:02 UTC 
Description of problem:

This is a parity issue vis a vis Satellite itself.

In satellite, user can browse to /pub using http and https
In the capsule, currently, user can only browser to https

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.  Attempt to browse to https://capsule.example.com/pub
2.  Attempt to browse to http://capsule.example.com/pub
3.  Attempt to browse to https://satellite.example.com/pub
4.  Attempt to browse to http://satellite.example.com/pub


Actual results:

User cannot browse to /pub via http ('Forbidden') on a capsule

Expected results:

User can browse via http and/or parity with satellite itself


The problem manifests itself when trying to retrieve the ca-cert from /pub, using curl, or something similar, which doesn't by default allow self-signed certs.


[root@qe-blade-03 ~]# wget https://cloud-qe-3.idmqe.lab.eng.bos.redhat.com/pub/katello-ca-consumer-latest.noarch.rpm
--2015-03-04 12:41:25--  https://cloud-qe-3.idmqe.lab.eng.bos.redhat.com/pub/katello-ca-consumer-latest.noarch.rpm
Resolving cloud-qe-3.idmqe.lab.eng.bos.redhat.com (cloud-qe-3.idmqe.lab.eng.bos.redhat.com)... 10.16.96.112
Connecting to cloud-qe-3.idmqe.lab.eng.bos.redhat.com (cloud-qe-3.idmqe.lab.eng.bos.redhat.com)|10.16.96.112|:443... connected.
ERROR: cannot verify cloud-qe-3.idmqe.lab.eng.bos.redhat.com's certificate, issued by ‘/C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=rhsm-qe-2.rhq.lab.eng.bos.redhat.com’:
  Self-signed certificate encountered.
To connect to cloud-qe-3.idmqe.lab.eng.bos.redhat.com insecurely, use `--no-check-certificate'.

Now, manually user can modify this url to be http only and that sort of resolves the issue.  But the fact remains, users can browse to /pub on a satellite itself using both secure and non-secure methods.  On the capsule, users can only browse via https.

Are there workarounds?  Yes
* user can use --no-check-certificate in curl
* user can manually modify URL header even though user cannot actually browse to /pub root

But is it a good customer experience?  not really.



Additional info:
Comment 1 Corey Welton 2015-03-04 17:51:19 UTC 
Satellite-6.1.0-RHEL-7-20150303.0
Comment 3 Eric Helms 2015-03-18 17:06:43 UTC 
Created redmine issue http://projects.theforeman.org/issues/9816 from this bug
Comment 4 Bryan Kearney 2015-03-19 16:05:14 UTC 
Moving to POST since upstream bug http://projects.theforeman.org/issues/9816 has been closed
-------------
Eric Helms
Applied in changeset commit:katello-installer|bc4bff65feba51357cad134362b85adb885766f5.
Comment 6 Corey Welton 2015-05-15 16:06:40 UTC 
Verified in SnapGA4c2
Comment 7 Bryan Kearney 2015-08-11 13:20:52 UTC 
This bug is slated to be released with Satellite 6.1.
Comment 8 Bryan Kearney 2015-08-12 13:56:48 UTC 
This bug was fixed in version 6.1.1 of Satellite which was released on 12 August, 2015.