Bug 1382307

Summary: Development Deployment Error
Product: [Community] Candlepin Reporter: Filip Nguyen <fnguyen>
Component: candlepinAssignee: Kevin Howell <khowell>
Status: CLOSED CURRENTRELEASE QA Contact: Katello QA List <katello-qa-list>
Severity: low Docs Contact:
Priority: medium    
Version: 2.0CC: awood, khowell, redakkan, skallesh, vrjain
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: candlepin-2.0.20-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-16 09:16:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Filip Nguyen 2016-10-06 10:20:08 UTC 
Description of problem:
After 'gem update' I am getting this [1] error during 'deploy -t'. I am using rvm and I can reproduce this with: ruby-2.0.0-p648,ruby-2.2.1

Workaround for this is to just reinstall the rvm ruby

[1] 
/home/fnguyen/.rvm/gems/ruby-2.2.1/gems/rest-client-2.0.0/lib/restclient/request.rb:809:in `rescue in transmit': SSL_connect returned=1 errno=0 state=error: certificate verify failed (RestClient::SSLCertificateNotVerified)
	from /home/fnguyen/.rvm/gems/ruby-2.2.1/gems/rest-client-2.0.0/lib/restclient/request.rb:698:in `transmit'
	from /home/fnguyen/.rvm/gems/ruby-2.2.1/gems/rest-client-2.0.0/lib/restclient/request.rb:215:in `execute'
	from /home/fnguyen/.rvm/gems/ruby-2.2.1/gems/rest-client-2.0.0/lib/restclient/request.rb:52:in `execute'
	from /home/fnguyen/.rvm/gems/ruby-2.2.1/gems/rest-client-2.0.0/lib/restclient/resource.rb:51:in `get'
	from /home/fnguyen/candlepin/candlepin/server/client/ruby/candlepin_api.rb:1221:in `get'
	from /home/fnguyen/candlepin/candlepin/server/client/ruby/candlepin_api.rb:52:in `initialize'
	from bin/import_test_data.rb:38:in `new'
	from bin/import_test_data.rb:38:in `<main>'


Version-Release number of selected component (if applicable):
ruby-2.0.0-p648
ruby-2.2.1

How reproducible:
always

Steps to Reproduce:
1. install rvm ruby ruby-2.2.1
2. gem update
3. bin/deploy -gt

Actual results:
1] 
/home/fnguyen/.rvm/gems/ruby-2.2.1/gems/rest-client-2.0.0/lib/restclient/request.rb:809:in `rescue in transmit': SSL_connect returned=1 errno=0 state=error: certificate verify failed (RestClient::SSLCertificateNotVerified)
	from /home/fnguyen/.rvm/gems/ruby-2.2.1/gems/rest-client-2.0.0/lib/restclient/request.rb:698:in `transmit'
	from /home/fnguyen/.rvm/gems/ruby-2.2.1/gems/rest-client-2.0.0/lib/restclient/request.rb:215:in `execute'
	from /home/fnguyen/.rvm/gems/ruby-2.2.1/gems/rest-client-2.0.0/lib/restclient/request.rb:52:in `execute'
	from /home/fnguyen/.rvm/gems/ruby-2.2.1/gems/rest-client-2.0.0/lib/restclient/resource.rb:51:in `get'
	from /home/fnguyen/candlepin/candlepin/server/client/ruby/candlepin_api.rb:1221:in `get'
	from /home/fnguyen/candlepin/candlepin/server/client/ruby/candlepin_api.rb:52:in `initialize'
	from bin/import_test_data.rb:38:in `new'
	from bin/import_test_data.rb:38:in `<main>'

Expected results:
No exception

Additional info:
Before running gem update, I tried to backup .rvm/rubies/ruby-2.2.1 . After update I tried to revert this backed up dir, but it didn't help. I just find this strange, I thought that 'gem update' only affects .rvm/rubies/ruby-2.2.1 and doesn't disturb other parts of the enviro
Comment 1 Alex Wood 2016-10-10 18:16:21 UTC 
In the candlepin_api.rb code I do not see any code that actually tells the Candlepin class about the CA that signed the Candlepin server's certificate.  Without knowing who the CA is, the TLS/SSL connection is going to fail with a "certificate verify" error.  Lots of libraries are sloppy about enforcing the requirement that the CA be known so it wouldn't suprise me if older versions weren't throwing this error.  You can see in https://github.com/rest-client/rest-client/blob/master/lib/restclient/request.rb#L7 that the RestClient module accepts options for ssl_ca_file and such that we are not sending in when we construct a RestClient::Resource.  I'll wager that's what the problem is.  The CA will be the Candlepin cert under /etc/candlepin/certs/candlepin-ca.crt.