Bug 1356955

Summary: When default-ca is updated, it doesn't update the nssdb
Product: Red Hat Satellite Reporter: Ivan Necas <inecas>
Component: InstallationAssignee: Ivan Necas <inecas>
Status: CLOSED ERRATA QA Contact: Lukas Pramuk <lpramuk>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2.0CC: bbuckingham, jcallaha, lpramuk
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-21 16:59:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1218251    
Bug Blocks:    

Description Ivan Necas 2016-07-15 11:15:22 UTC 
Description of problem:
When a new default-ca gets generated (which should be pretty rare case)
and can happen for example when the /root/ssl-build directory is removed
without a backup, the installer generates a new ca, but it fails
updating the nssdb with the new ca, which causes issues when connecting
to qpid later.

Version-Release number of selected component (if applicable):


Steps to Reproduce:
1. satellite-installer --scenario=satellite
2. rm -rf /root/ssl-build
3. satellite-installer


Actual results:

qpid-config --ssl-certificate /etc/pki/katello/certs/java-client.crt --ssl-key /etc/pki/katello/private/java-client.key -b 'amqps://sat-snap-rhel7.example.com:5671' add exchange topic event --durable returned 1 instead of one of [0]
 /Stage[main]/Certs::Candlepin/Exec[create candlepin qpid exchange]/returns: change from notrun to 0 failed: qpid-config --ssl-certificate /etc/pki/katello/certs/java-client.crt --ssl-key /etc/pki/katello/private/java-client.key -b 'amqps://sat-snap-rhel7.example.com:5671' add exchange topic event --durable returned 1 instead of one of [0]
 /Stage[main]/Certs::Candlepin/Exec[create candlepin qpid exchange]: Failed to call refresh: qpid-config --ssl-certificate /etc/pki/katello/certs/java-client.crt --ssl-key /etc/pki/katello/private/java-client.key -b 'amqps://sat-snap-rhel7.example.com:5671' add exchange topic event --durable returned 1 instead of one of [0]
 /Stage[main]/Certs::Candlepin/Exec[create candlepin qpid exchange]: qpid-config --ssl-certificate /etc/pki/katello/certs/java-client.crt --ssl-key /etc/pki/katello/private/java-client.key -b 'amqps://sat-snap-rhel7.example.com:5671' add exchange topic event --durable returned 1 instead of one of [0]


Expected results:

the new ca is deployed successfully
Comment 1 Ivan Necas 2016-07-15 11:22:43 UTC 
A workaround is

   rm -rf /etc/pki/katello/nssdb
   satellite-installer

this makes sure the nssdb is recreated with valid certificates
Comment 2 Ivan Necas 2016-07-15 11:23:36 UTC 
Created redmine issue http://projects.theforeman.org/issues/15700 from this bug
Comment 3 Bryan Kearney 2016-07-15 14:16:08 UTC 
Upstream bug assigned to inecas
Comment 4 Bryan Kearney 2016-07-15 14:16:10 UTC 
Upstream bug assigned to inecas
Comment 6 Bryan Kearney 2016-10-12 20:09:25 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/15700 has been resolved.
Comment 7 Lukas Pramuk 2017-06-23 12:10:12 UTC 
VERIFIED.

@satellite-6.3.0-15.0.beta.el7sat.noarch
katello-installer-base-3.4.1.3-1.el7sat.noarch

by manual reproducer in comment#0


3. # satellite-installer
Installing             Done                                               [100%] [.....................................]
  Success!
  * Katello is running at https://SATFQDN
  * To install an additional Foreman proxy on separate machine continue by running:

      foreman-proxy-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY" --certs-tar "/root/$FOREMAN_PROXY-certs.tar"

  The full log is at /var/log/foreman-installer/satellite.log

>>> after certs storage removal in /root/ssl-build the other certs are generated aswell
Comment 8 Bryan Kearney 2018-02-21 16:59:39 UTC 
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.

For information on the advisory, and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0336