Bug 1259880

Summary: Download of kickstart file over https fails
Product: Red Hat Enterprise Linux 6 Reporter: Hubert Kario <hkario>
Component: anacondaAssignee: Brian Lane <bcl>
Status: CLOSED ERRATA QA Contact: Release Test Team <release-test-team>
Severity: high Docs Contact: Clayton Spicer <cspicer>
Priority: high    
Version: 6.7CC: bcl, cww, hannsj_uhl, jreznik, jstodola, mganisin, mkovarik, omoris, salmy, sbueno, sigbjorn
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: anaconda-13.21.249-1 Doc Type: Enhancement
Doc Text:
Using an HTTPS source for kickstart files is now supported With this update, it is now possible to specify HTTPS sources for kickstart files.
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-10 20:45:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1269957    

Description Hubert Kario 2015-09-03 17:26:03 UTC
Description of problem:
When using recent RHEL-6 composes, e.g. RHEL-6.7-20150710.n.0 and RHEL-6.7-20150519.0, specifying a kickstart file over https makes the installation fail.

Version-Release number of selected component (if applicable):
RHEL-6.7-20150710.n.0

How reproducible:
always

Steps to Reproduce:
1. Run installation with ks=https://www.redhat.com/

Actual results:
In 3rd VT:
   Error downloading https://www.redhat.com/: Problem with the SSL CA cert (path? access rights?)

But using wireshark on the VM I don't see any TLS communication, just a TCP connection getting opened and then right away closed, so there's no way for the server TLS configuration to have any effect on the download.

Expected results:
anaconda being able to download kickstart file over HTTPS

Additional info:
This is a regression from bug 696696. This functionality is also described as working in https://access.redhat.com/solutions/1016

I'm guessing that the root cause is anaconda being unable to locate/initialize/load the system trust store with CA certificates. In other words, related to bug 1182297.

Comment 3 Brian Lane 2015-09-03 19:37:17 UTC
Proposed patch to add ca-bundle.crt to initrd.

https://github.com/rhinstaller/anaconda/pull/343

Comment 7 Brian Lane 2016-02-24 00:00:06 UTC
https://github.com/rhinstaller/anaconda/pull/520 should fix it, sorry about that.

Comment 8 Brian Lane 2016-02-24 15:30:58 UTC
Note that the commit was pushed with the wrong bz# in the commit message (1303855).

Comment 11 Jan Stodola 2016-03-14 09:27:57 UTC
Retested with anaconda-13.21.249-1.el6, ca-bundle.crt is present in initrd.img:

$ lsinitrd initrd.img | grep ca-bundle.crt
-rw-r--r--   1 root     root       863389 Mar  8 19:25 etc/pki/tls/certs/ca-bundle.crt
$

With "ks=https://www.redhat.com/" on the kernel command line, anaconda downloaded the file without errors and tried to use it (which failed as expected).

Moving to VERIFIED.

Comment 13 errata-xmlrpc 2016-05-10 20:45:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0798.html

Comment 15 Michal Kovarik 2016-07-25 11:18:19 UTC
See bug 1341280