|Summary:||Download of kickstart file over https fails|
|Product:||Red Hat Enterprise Linux 6||Reporter:||Hubert Kario <hkario>|
|Component:||anaconda||Assignee:||Brian Lane <bcl>|
|Status:||CLOSED ERRATA||QA Contact:||Release Test Team <release-test-team>|
|Severity:||high||Docs Contact:||Clayton Spicer <cspicer>|
|Version:||6.7||CC:||bcl, cww, hannsj_uhl, jreznik, jstodola, mganisin, mkovarik, omoris, salmy, sbueno, sigbjorn|
|Fixed In Version:||anaconda-13.21.249-1||Doc Type:||Enhancement|
Using an HTTPS source for kickstart files is now supported With this update, it is now possible to specify HTTPS sources for kickstart files.
|Last Closed:||2016-05-10 20:45:53 UTC||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:|
Description Hubert Kario 2015-09-03 17:26:03 UTC
Description of problem: When using recent RHEL-6 composes, e.g. RHEL-6.7-20150710.n.0 and RHEL-6.7-20150519.0, specifying a kickstart file over https makes the installation fail. Version-Release number of selected component (if applicable): RHEL-6.7-20150710.n.0 How reproducible: always Steps to Reproduce: 1. Run installation with ks=https://www.redhat.com/ Actual results: In 3rd VT: Error downloading https://www.redhat.com/: Problem with the SSL CA cert (path? access rights?) But using wireshark on the VM I don't see any TLS communication, just a TCP connection getting opened and then right away closed, so there's no way for the server TLS configuration to have any effect on the download. Expected results: anaconda being able to download kickstart file over HTTPS Additional info: This is a regression from bug 696696. This functionality is also described as working in https://access.redhat.com/solutions/1016 I'm guessing that the root cause is anaconda being unable to locate/initialize/load the system trust store with CA certificates. In other words, related to bug 1182297.
Comment 3 Brian Lane 2015-09-03 19:37:17 UTC
Proposed patch to add ca-bundle.crt to initrd. https://github.com/rhinstaller/anaconda/pull/343
Comment 7 Brian Lane 2016-02-24 00:00:06 UTC
https://github.com/rhinstaller/anaconda/pull/520 should fix it, sorry about that.
Comment 8 Brian Lane 2016-02-24 15:30:58 UTC
Note that the commit was pushed with the wrong bz# in the commit message (1303855).
Comment 11 Jan Stodola 2016-03-14 09:27:57 UTC
Retested with anaconda-13.21.249-1.el6, ca-bundle.crt is present in initrd.img: $ lsinitrd initrd.img | grep ca-bundle.crt -rw-r--r-- 1 root root 863389 Mar 8 19:25 etc/pki/tls/certs/ca-bundle.crt $ With "ks=https://www.redhat.com/" on the kernel command line, anaconda downloaded the file without errors and tried to use it (which failed as expected). Moving to VERIFIED.
Comment 13 errata-xmlrpc 2016-05-10 20:45:53 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0798.html