Bug 1222912
| Summary: | katello-agent doesn't work when custom certs are used | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Ivan Necas <inecas> |
| Component: | Installation | Assignee: | Ivan Necas <inecas> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Tazim Kolhar <tkolhar> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.1.0 | CC: | andrew.schofield, bbuckingham, bkearney, cwelton, mmccune, tkolhar |
| Target Milestone: | Unspecified | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| URL: | http://projects.theforeman.org/issues/10670 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-08-12 13:59:56 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Ivan Necas
2015-05-19 12:32:41 UTC
Created redmine issue http://projects.theforeman.org/issues/10670 from this bug PRs against the agent https://github.com/Katello/katello-agent/pull/23 and puppet-certs https://github.com/Katello/puppet-certs/pull/62 opened Small PR to address some PR comments that came after the merge https://github.com/Katello/katello-agent/pull/24 FAILEDQA: # rpm -qa | grep foreman foreman-compute-1.7.2.26-1.el6_6sat.noarch ruby193-rubygem-foreman-redhat_access-0.1.0-1.el6_6sat.noarch rubygem-hammer_cli_foreman-0.1.4.13-1.el6_6sat.noarch foreman-vmware-1.7.2.26-1.el6_6sat.noarch ruby193-rubygem-foreman_bootdisk-4.0.2.13-1.el6_6sat.noarch ruby193-rubygem-foreman_gutterball-0.0.1.9-1.el6_6sat.noarch foreman-postgresql-1.7.2.26-1.el6_6sat.noarch foreman-libvirt-1.7.2.26-1.el6_6sat.noarch ruby193-rubygem-foreman-tasks-0.6.12.7-1.el6_6sat.noarch rubygem-hammer_cli_foreman_bootdisk-0.1.2.7-1.el6_6sat.noarch rubygem-hammer_cli_foreman_docker-0.0.3.6-1.el6_6sat.noarch foreman-selinux-1.7.2.13-1.el6_6sat.noarch foreman-debug-1.7.2.26-1.el6_6sat.noarch foreman-ovirt-1.7.2.26-1.el6_6sat.noarch foreman-gce-1.7.2.26-1.el6_6sat.noarch ruby193-rubygem-foreman_discovery-2.0.0.15-1.el6_6sat.noarch foreman-proxy-1.7.2.5-1.el6_6sat.noarch rubygem-hammer_cli_foreman_tasks-0.0.3.4-1.el6_6sat.noarch intel-s3e3432-01.rhts.eng.bos.redhat.com-foreman-proxy-client-1.0-1.noarch intel-s3e3432-01.rhts.eng.bos.redhat.com-foreman-proxy-1.0-2.noarch ruby193-rubygem-foreman_docker-1.2.0.14-1.el6_6sat.noarch intel-s3e3432-01.rhts.eng.bos.redhat.com-foreman-client-1.0-1.noarch foreman-1.7.2.26-1.el6_6sat.noarch ruby193-rubygem-foreman_hooks-0.3.7-2.el6_6sat.noarch rubygem-hammer_cli_foreman_discovery-0.0.1.10-1.el6_6sat.noarch steps: # katello-installer --certs-server-cert /root/ownca/intel-s3e3432-01.rhts.eng.bos.redhat.com/intel-s3e3432-01.rhts.eng.bos.redhat.com.crt --certs-server-cert-req /root/ownca/intel-s3e3432-01.rhts.eng.bos.redhat.com/intel-s3e3432-01.rhts.eng.bos.redhat.com.crt.req --certs-server-key /root/ownca/intel-s3e3432-01.rhts.eng.bos.redhat.com/intel-s3e3432-01.rhts.eng.bos.redhat.com.key --certs-server-ca-cert /root/ownca/cacert.crt --certs-update-server --certs-update-server-ca Marking certificate /root/ssl-build/intel-s3e3432-01.rhts.eng.bos.redhat.com/intel-s3e3432-01.rhts.eng.bos.redhat.com-apache for update Marking certificate /root/ssl-build/intel-s3e3432-01.rhts.eng.bos.redhat.com/intel-s3e3432-01.rhts.eng.bos.redhat.com-foreman-proxy for update Marking certificate /root/ssl-build/katello-server-ca for update /Stage[main]/Apache::Service/Service[httpd]: Failed to call refresh: Could not start Service[httpd]: Execution of '/sbin/service httpd start' returned 1: Starting httpd: [FAILED] /Stage[main]/Apache::Service/Service[httpd]: Could not start Service[httpd]: Execution of '/sbin/service httpd start' returned 1: Starting httpd: [FAILED] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[intel-s3e3432-01.rhts.eng.bos.redhat.com]: Could not evaluate: Connection refused - connect(2) /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[intel-s3e3432-01.rhts.eng.bos.redhat.com]: Failed to call refresh: Connection refused - connect(2) /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[intel-s3e3432-01.rhts.eng.bos.redhat.com]: Connection refused - connect(2) Installing Done [100%] [..................................................................] It failed due to different bug, that was switched to modified, putting back to modified this as well, to turn to ON_QA at once with https://bugzilla.redhat.com/show_bug.cgi?id=1227757 WORKAROUND:
1) Copy /etc/pki/katello/certs/katello-default-ca.crt from your Satellite to your capsule and place in: /etc/rhsm/ca/
2) On the capsule, hand edit /usr/lib/gofer/plugins/katelloplugin.py
3) Go to line 157:
plugin.cfg.messaging.cacert = rhsm_conf['rhsm']['repo_ca_cert'] % rhsm_conf['rhsm']
4) Comment that line out and add a line below:
#plugin.cfg.messaging.cacert = rhsm_conf['rhsm']['repo_ca_cert'] % rhsm_conf['rhsm']
plugin.cfg.messaging.cacert = rhsm_conf['rhsm']['ca_cert_dir'] + 'katello-default-ca.crt'
5) restart the 'goferd' service on your Capsule. Should see connection success in /var/log/messages.
*** Bug 1219961 has been marked as a duplicate of this bug. *** VERIFIED: # rpm -qa | grep foreman ruby193-rubygem-foreman_discovery-2.0.0.15-1.el7sat.noarch foreman-libvirt-1.7.2.27-1.el7sat.noarch ruby193-rubygem-foreman_gutterball-0.0.1.9-1.el7sat.noarch ruby193-rubygem-foreman_docker-1.2.0.14-1.el7sat.noarch rubygem-hammer_cli_foreman_discovery-0.0.1.10-1.el7sat.noarch foreman-selinux-1.7.2.13-1.el7sat.noarch dell-pe1955-02.rhts.eng.bos.redhat.com-foreman-proxy-1.0-2.noarch foreman-compute-1.7.2.27-1.el7sat.noarch foreman-gce-1.7.2.27-1.el7sat.noarch ruby193-rubygem-foreman-redhat_access-0.2.0-8.el7sat.noarch rubygem-hammer_cli_foreman-0.1.4.14-1.el7sat.noarch foreman-debug-1.7.2.27-1.el7sat.noarch foreman-vmware-1.7.2.27-1.el7sat.noarch ruby193-rubygem-foreman-tasks-0.6.12.8-1.el7sat.noarch rubygem-hammer_cli_foreman_tasks-0.0.3.4-1.el7sat.noarch rubygem-hammer_cli_foreman_docker-0.0.3.7-1.el7sat.noarch foreman-proxy-1.7.2.5-1.el7sat.noarch dell-pe1955-02.rhts.eng.bos.redhat.com-foreman-client-1.0-1.noarch ruby193-rubygem-foreman_bootdisk-4.0.2.13-1.el7sat.noarch dell-pe1955-02.rhts.eng.bos.redhat.com-foreman-proxy-client-1.0-1.noarch foreman-ovirt-1.7.2.27-1.el7sat.noarch rubygem-hammer_cli_foreman_bootdisk-0.1.2.7-1.el7sat.noarch foreman-1.7.2.27-1.el7sat.noarch ruby193-rubygem-foreman_hooks-0.3.7-2.el7sat.noarch foreman-postgresql-1.7.2.27-1.el7sat.noarch steps: 1. issue custom certificates outside of the installer (https://github.com/iNecas/ownca can be used to do so) 2. configure the katello to use the certificates https://github.com/Katello/katello-installer#custom-server-certificates # katello-installer --certs-server-cert /root/ownca/dell-pe1955-02.rhts.eng.bos.redhat.com/dell-pe1955-02.rhts.eng.bos.redhat.com.crt --certs-server-cert-req /root/ownca/dell-pe1955-02.rhts.eng.bos.redhat.com/dell-pe1955-02.rhts.eng.bos.redhat.com.crt.req --certs-server-key /root/ownca/dell-pe1955-02.rhts.eng.bos.redhat.com/dell-pe1955-02.rhts.eng.bos.redhat.com.key --certs-server-ca-cert /root/ownca/cacert.crt --certs-update-server --certs-update-server-ca 3. register a client 4. install the katello-agent # yum install -y katello-agent Installed: katello-agent.noarch 0:2.2.5-1.el6_6sat Complete! This bug is slated to be released with Satellite 6.1. This bug was fixed in version 6.1.1 of Satellite which was released on 12 August, 2015. |