Bug 1221749

Summary: Puppet content promotion fails if there is no reverse DNS entry
Product: Red Hat Satellite Reporter: Lukas Zapletal <lzap>
Component: InstallationAssignee: Chris Roberts <chrobert>
Status: CLOSED WORKSFORME QA Contact: Katello QA List <katello-qa-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.1.0CC: bbuckingham, chrobert, daobrien, stbenjam
Target Milestone: UnspecifiedKeywords: ReleaseNotes, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-25 16:43:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1190823    

Description Lukas Zapletal 2015-05-14 18:03:59 UTC 
Create a CV with at least one module and promote it on a system that does not have reverse DNS record (e.g. some beaker machines):

E, [2015-05-14T13:56:31.419762 #23462] ERROR -- : Unable to resolve hostname for connecting client - 10.16.65.186. If it's to be a trusted host, ensure it has a reverse DNS entry.

There is currently no workaround for this, you cannot continue until you fix this.

We should either:

A) Give the user some way to workaround this (extra switch)

or

B) Error out before installation if reverse DNS is not set (I was under imporession we already do this, apparently this is not working for Beta).
Comment 1 Lukas Zapletal 2015-05-14 18:10:47 UTC 
Upstream in the authorize_with_trusted_hosts method we already introduce a "forward_verify" flag. We need to backport this and to introduce another one "reverse_verify". Both flags are a decent workaround for all cases.
Comment 2 RHEL Program Management 2015-05-14 18:22:38 UTC 
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Comment 5 Bryan Kearney 2016-07-26 15:25:24 UTC 
Moving 6.2 bugs out to sat-backlog.
Comment 6 Bryan Kearney 2016-07-26 15:45:10 UTC 
Moving 6.2 bugs out to sat-backlog.
Comment 8 Stephen Benjamin 2016-08-25 16:43:23 UTC 
I tested this and this works fine, reverse DNS is only a fallback.  The proxy looks at the CN of the certificate now in trusted hosts first, so even if customer reverse DNS is broken, promotion still works.