Bug 1306964

Summary: Installer answer file contains wrong path to the 'server_ssl_chain' file.
Product: Red Hat Satellite Reporter: Marcel Gazdík <mgazdik>
Component: InstallationAssignee: Ivan Necas <inecas>
Status: CLOSED ERRATA QA Contact: Evgeni Golov <egolov>
Severity: low Docs Contact:
Priority: medium    
Version: 6.1.6CC: ahuchcha, bkearney, chrobert, egolov, erinn.looneytriggs, inecas, jcallaha, ktordeur, marbet, pghadge, pmoravec
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: x86_64   
OS: Linux   
URL: http://projects.theforeman.org/issues/13687
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-21 16:54:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marcel Gazdík 2016-02-12 10:07:09 UTC
Description of problem:
  Customer is trying to use custom certificate authority chain file. Despite of all the changes made in 
certificate files, the path to SSL chain file in apache configuration file 05-foreman-ssl.conf is wrong.
Instead of pointing to the katello-default-ca.crt it should pointing to katello-server-ca.crt where
the custom chain file is saved.


Version-Release number of selected component (if applicable):
6.1.6 

How reproducible:
Install the satellite and apply custom certificates.

Steps to Reproduce:
1. Install satellite 
2. Run katello-installer to modify the certificates
  katello-installer --certs-server-cert "/root/$SAT.crt" \
  --certs-server-cert-req "/root/$SAT.csr" \
  --certs-server-key "/root/$SAT.key" \
  --certs-server-ca-cert '/root/new_ca.crt' \
  --certs-update-server \
  --certs-update-server-ca
3. Check path to the SSL certificate chain file in the '/etc/httpd/conf.d/05-foreman-ssl.conf' file.

Actual results:
The 'SSLCertificateChainFile' option in the '/etc/httpd/conf.d/05-foreman-ssl.conf' files points 
to 'katello-default-ca.crt' instead of 'katello-server-ca.crt'

$ grep SSLCertificateChainFile /etc/httpd/conf.d/05-foreman-ssl.conf -A 1 -B 1
  SSLCertificateKeyFile   "/etc/pki/katello/private/katello-apache.key"
  SSLCertificateChainFile "/etc/pki/katello/certs/katello-default-ca.crt"
  SSLCACertificatePath    "/etc/pki/tls/certs"

Source of this error can be found in the katello-installer answer file:

$ grep server_ssl_chain /etc/katello-installer/answers.katello-installer.yaml -A 1 -B 1
    server_ssl_ca: /etc/pki/katello/certs/katello-default-ca.crt
    server_ssl_chain: /etc/pki/katello/certs/katello-default-ca.crt
    server_ssl_cert: /etc/pki/katello/certs/katello-apache.crt


Expected results:

Modification of the '/etc/katello-installer/answers.katello-installer.yaml' file will lead to correct 
path to the SSL certificate chain file in the '/etc/httpd/conf.d/05-foreman-ssl.conf'

$ grep server_ssl_chain /etc/katello-installer/answers.katello-installer.yaml -A 1 -B 1
    server_ssl_ca: /etc/pki/katello/certs/katello-default-ca.crt
    server_ssl_chain: /etc/pki/katello/certs/katello-server-ca.crt
    server_ssl_cert: /etc/pki/katello/certs/katello-apache.crt

$ grep SSLCertificateChainFile /etc/httpd/conf.d/05-foreman-ssl.conf -A 1 -B 1
  SSLCertificateKeyFile   "/etc/pki/katello/private/katello-apache.key"
  SSLCertificateChainFile "/etc/pki/katello/certs/katello-server-ca.crt"
  SSLCACertificatePath    "/etc/pki/tls/certs"



Additional info: (workaround)

Modify the answer file:
sed -i -e 's/server_ssl_chain: \/etc\/pki\/katello\/certs\/katello-default-ca.crt/server_ssl_chain: \/etc\/pki\/katello\/certs\/katello-server-ca.crt/' /etc/katello-installer/answers.katello-installer.yaml

re-run katello-installer without parameters.

Comment 1 Ivan Necas 2016-02-12 13:28:42 UTC
Created redmine issue http://projects.theforeman.org/issues/13687 from this bug

Comment 2 Ivan Necas 2016-02-12 13:36:15 UTC
Patch sent into the upstream installer https://github.com/Katello/katello-installer/pull/296

Comment 4 Bryan Kearney 2016-07-26 15:25:24 UTC
Moving 6.2 bugs out to sat-backlog.

Comment 5 Bryan Kearney 2016-07-26 15:36:22 UTC
Moving 6.2 bugs out to sat-backlog.

Comment 7 Bryan Kearney 2016-08-02 14:12:25 UTC
Moving to POST since upstream bug http://projects.theforeman.org/issues/13687 has been closed

Comment 9 Ivan Necas 2016-08-16 11:11:05 UTC
*** Bug 1249160 has been marked as a duplicate of this bug. ***

Comment 11 Stephen Benjamin 2016-12-06 16:18:00 UTC
*** Bug 1402011 has been marked as a duplicate of this bug. ***

Comment 12 Evgeni Golov 2017-08-23 13:51:38 UTC
VERIFIED

Version Tested: Satellite 6.3.0 Snap 12

The answers file and the httpd config now contain the right cert file:

[root@sat63-qa-rhel7 ~]# grep SSLCertificateChainFile /etc/httpd/conf.d/05-foreman-ssl.conf -A 1 -B 1
  SSLCertificateKeyFile   "/etc/pki/katello/private/katello-apache.key"
  SSLCertificateChainFile "/etc/pki/katello/certs/katello-server-ca.crt"
  SSLCACertificateFile    "/etc/pki/katello/certs/katello-default-ca.crt"

[root@sat63-qa-rhel7 ~]# grep server_ssl_chain /etc/foreman-installer/scenarios.d/katello-answers.yaml -A 1 -B 1
  server_ssl_ca: /etc/pki/katello/certs/katello-default-ca.crt
  server_ssl_chain: /etc/pki/katello/certs/katello-server-ca.crt
  server_ssl_crl: ''

[root@sat63-qa-rhel7 ~]# grep server_ssl_chain /etc/foreman-installer/scenarios.d/satellite-answers.yaml -A 1 -B 1
    server_ssl_ca: /etc/pki/katello/certs/katello-default-ca.crt
    server_ssl_chain: /etc/pki/katello/certs/katello-server-ca.crt
    server_ssl_cert: /etc/pki/katello/certs/katello-apache.crt

Comment 13 Satellite Program 2018-02-21 16:54:17 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
> 
> For information on the advisory, and where to find the updated files, follow the link below.
> 
> If the solution does not work for you, open a new bug report.
> 
> https://access.redhat.com/errata/RHSA-2018:0336