Bug 1346096

Summary: pulp creates SSL/TLS certificates needs to be unique per instance or install but this value is created at install-time and not during the first run
Product: Red Hat Satellite Reporter: Kurt Seifried <kseifried>
Component: PulpAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED ERRATA QA Contact: Ivan Necas <inecas>
Severity: medium Docs Contact:
Priority: high    
Version: 6.2.0CC: bbuckingham, bkearney, bmbouter, daviddavis, dkliban, ehelms, ggainey, inecas, ipanova, jcallaha, mhrivnak, pcreech, rchan, tjay, ttereshc
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: pulp-2.13.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-21 16:51:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1346019    

Description Kurt Seifried 2016-06-14 01:18:10 UTC 
Version-Release number of selected component (if applicable):

pulp-2.4.1-0.7.beta.el7sat but latest upstream also has it.

How reproducible:

Always.

postinstal:
  openssl genrsa -out $KEY_PATH 2048 &> /dev/null
  openssl rsa -in $KEY_PATH -pubout > $KEY_PATH_PUB 2> /dev/null



Steps to Reproduce:
1. Install to a container or image.
2. Run new instance of container or image.
3.

Actual results:

All container and image instances share the same key/cert.
Expected results:

Each instance should receive a unique key/cert.

Additional info:

This bug is being file because Product Security considers "first run problems" to be bugs with the source package and with the container or image only in the aggregate. This view is in collaboration with upstream Fedora. See: https://fedorahosted.org/fpc/ticket/506

The recommended resolution for services is to follow the "First-time Service Setup" pattern (see: https://fedoraproject.org/wiki/Packaging:Initial_Service_Setup ). Other packages may should use a runtime check and generation or similar procedure.
Comment 2 Michael Hrivnak 2016-06-15 13:07:19 UTC 
Thanks for the report and the links. That's very helpful.
Comment 3 Kurt Seifried 2016-06-25 03:11:52 UTC 
Just a note, the first run issue can also be handled through orchestration (e.g. OpenStack, CloudForms, OpenShift Enterprise and so on). But the certificate creation MUST be removed from the rpm install scripts.
Comment 5 pulp-infra@redhat.com 2016-11-21 18:53:23 UTC 
The Pulp upstream bug status is at NEW. Updating the external tracker on this bug.
Comment 6 pulp-infra@redhat.com 2016-11-21 18:53:26 UTC 
The Pulp upstream bug priority is at High. Updating the external tracker on this bug.
Comment 7 pulp-infra@redhat.com 2016-12-13 16:42:55 UTC 
The Pulp upstream bug status is at ASSIGNED. Updating the external tracker on this bug.
Comment 8 pulp-infra@redhat.com 2016-12-16 00:48:59 UTC 
The Pulp upstream bug status is at POST. Updating the external tracker on this bug.
Comment 9 pulp-infra@redhat.com 2017-03-21 19:19:28 UTC 
The Pulp upstream bug status is at MODIFIED. Updating the external tracker on this bug.
Comment 10 pulp-infra@redhat.com 2017-03-21 19:33:36 UTC 
All upstream Pulp bugs are at MODIFIED+. Moving this bug to POST.
Comment 12 pulp-infra@redhat.com 2017-04-19 21:34:42 UTC 
The Pulp upstream bug status is at ON_QA. Updating the external tracker on this bug.
Comment 13 pulp-infra@redhat.com 2017-04-27 14:06:17 UTC 
The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.
Comment 15 Ivan Necas 2017-08-30 14:59:59 UTC 
Verification version: Satellite 6.3 Snap 13

Steps:

1. yum install -y satellite
2. check /etc/pki/pulp for generated keys

Result: the directory doesn't contain any keys after the rpms were installed
Comment 16 Bryan Kearney 2018-02-21 16:43:22 UTC 
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.

For information on the advisory, and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0336
Comment 17 Satellite Program 2018-02-21 16:51:07 UTC 
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
> 
> For information on the advisory, and where to find the updated files, follow the link below.
> 
> If the solution does not work for you, open a new bug report.
> 
> https://access.redhat.com/errata/RHSA-2018:0336