Bug 1320077

Summary: In case of change Pegasus's path to SSL certificates, reflect this change in wbemcli
Product: Red Hat Enterprise Linux 7 Reporter: Vitezslav Crhonek <vcrhonek>
Component: sblim-wbemcliAssignee: Vitezslav Crhonek <vcrhonek>
Status: CLOSED ERRATA QA Contact: Alois Mahdal <amahdal>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: amahdal, ovasik, vcrhonek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sblim-wbemcli-1.6.2-11.el7 Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 16:46:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1308809    
Bug Blocks: 1380364, 1393870, 1400961    

Description Vitezslav Crhonek 2016-03-22 09:43:02 UTC 
Description of problem:
Currently, tog-pegasus stores SSL certificates in /etc/Pegasus directory. There is a requset to move them to better place (at least beacause of SELinux), see rhbz#1308809. It seems reasonable to move them to /etc/pki/Pegasus.

However, wbemcli has /etc/Pegasus hardcoded as default path to required certificate 'client.pem'. If the path changes, common https connection (without '-noverify' flag) will fail:

# wbemcli ei -nl 'https://root:$PASS@localhost:5989/root/cimv2:PG_OperatingSystem'
*
* wbemcli: Http Exception: Could not open CA certificate file: /etc/Pegasus/client.pem (No such file or directory)
*

Of course, it could be fixed by '-cacert /etc/pki/Pegasus' (or '-noverify'), but until that time any script using wbemcli would be broken - regression.
Comment 4 Alois Mahdal 2017-06-13 20:05:24 UTC 
I tried to reproduce this by running TC#289077 /CoreOS/sblim/tools/wbemcli-command-segfaults-when-called-with-https-scheme on a RHEL-7.4 compose with downgraded wbemcli:

    # rpm -ql tog-pegasus | grep pem$
    /etc/pki/Pegasus/client.pem
    /etc/pki/Pegasus/file.pem
    /etc/pki/Pegasus/server.pem
    /etc/pki/ca-trust/source/anchors/localhost-pegasus.pem
    # rpm -q tog-pegasus sblim-wbemcli
    tog-pegasus-2.14.1-5.el7.x86_64
    sblim-wbemcli-1.6.2-10.el7.x86_64
    # 


I get different message, though:

    :: [  BEGIN   ] :: Running 'wbemcli ei 'https://pegasus:test@localhost:5989/root/cimv2:Linux_BlockStorageStatisticalData' > TESTOUT'
    *
    * wbemcli: Http Exception: Problem with the SSL CA cert (path? access rights?)
    *

Is it possible that the error message has changed?  Or I'm doing something wrong?
Comment 5 Vitezslav Crhonek 2017-06-14 09:02:19 UTC 
(In reply to Alois Mahdal from comment #4)
> 
> Is it possible that the error message has changed?  Or I'm doing something
> wrong?

The message in comment#1 is from the latest version of sblim-wbemcli and it differs from the version shipped within RHEL7.
Comment 6 Alois Mahdal 2017-06-16 03:46:49 UTC 
OK, so I tried running a slightly modified version of test TC#289077 (just to run something with HTTPS) with following version combinations:

    tog-pegasus   | sblim-wbemcli || result
    ==============|===============||========
     2.14.1-3.el7 | 1.6.2-10.el7  || pass
     2.14.1-3.el7 | 1.6.2-11.el7  || fail
     2.14.1-5.el7 | 1.6.2-10.el7  || fail
     2.14.1-5.el7 | 1.6.2-11.el7  || pass

This is expected behavior: if tog-pegasus is updated, sblim-wbemcli must be updated as well.  (Errata dependencies are set in a way that guarrantees that either both or none will be available at the same time.)
Comment 7 errata-xmlrpc 2017-08-01 16:46:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1970