Bug 1417734
| Summary: | katello-certs-check needs to provide differentiating data for capsule-certs-generate to avoid error | |||
|---|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Craig Donnelly <cdonnell> | |
| Component: | Infrastructure | Assignee: | Chris Roberts <chrobert> | |
| Status: | CLOSED ERRATA | QA Contact: | Sanket Jagtap <sjagtap> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | high | |||
| Version: | 6.2.7 | CC: | bkearney, chrobert, ehelms, jcallaha, riehecky, sjagtap, zhunting | |
| Target Milestone: | Unspecified | Keywords: | Triaged, UserExperience | |
| Target Release: | Unused | |||
| Hardware: | All | |||
| OS: | Linux | |||
| URL: | http://projects.theforeman.org/issues/18310 | |||
| Whiteboard: | ||||
| Fixed In Version: | katello-installer-base-3.0.0.80-2 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1426416 (view as bug list) | Environment: | ||
| Last Closed: | Type: | Bug | ||
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1417399, 1426416 | |||
I made a typo above for how this should look, you'll have to ignore some other typos above for the cert names. Point is driven either way.
Here is the revision:
Expected results:
katello-certs-check should give us two options, for the different scenarios.
One for new capsules, and one for updating certs-tars for existing capsules:
# katello-certs-check -c newcapsule.crt -k newcapsule.key -r newcapsule.csr -b CA-crt.pem
<snip>
To use them inside a NEW $CAPSULE, run this command:
capsule-certs-generate --capsule-fqdn ""\
--certs-tar "~/-certs.tar"\
--server-cert "newcapsule.crt"\
--server-cert-req "newcapsule.csr"\
--server-key "newcapsule.key"\
--server-ca-cert "CA-crt.pem"
To use them inside an EXISTING $CAPSULE, run this command INSTEAD:
capsule-certs-generate --capsule-fqdn ""\
--certs-tar "~/-certs.tar"\
--server-cert "newcapsule.crt"\
--server-cert-req "newcapsule.csr"\
--server-key "newcapsule.key"\
--server-ca-cert "CA-crt.pem"\
--certs-update-server
</snip>
Created Redmine issue: http://projects.theforeman.org/issues/18310 Pull request here: https://github.com/Katello/katello-installer/pull/475 Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/18310 has been resolved. Please add verifications steps for this bug to help QE verify Steps to Reproduce: 1. Run katello-certs-check against cert set 2. Use command provided to generate certs for a non-existent capsule Build : Satellite 6.2.9 snap 2
Version: katello-installer-base-3.0.0.79-1.el7sat.noarch
katello-certs-check -c sjagtap.abc.com.crt -k sjagtap.abc.com.key -r sjagtap.abc.com.crt.req -b cacert.crt
Validating the certificate subject= /C=US/ST=State or Providence/O=My Company/CN=sjagtap.abc.com
Check private key matches the certificate: [OK]
Check ca bundle verifies the cert file: [OK]
Validation succeeded.
To install the Satellite main server with the custom certificates, run:
satellite-installer --scenario satellite\
--certs-server-cert "sjagtap.abc.com.crt"\
--certs-server-cert-req "sjagtap.abc.com.crt.req"\
--certs-server-key "sjagtap.abc.com.key"\
--certs-server-ca-cert "cacert.crt"
To update the certificates on a currently running Satellite installation, run:
satellite-installer --scenario satellite\
--certs-server-cert "sjagtap.abc.com.crt"\
--certs-server-cert-req "sjagtap.abc.com.crt.req"\
--certs-server-key "sjagtap.abc.com.key"\
--certs-server-ca-cert "cacert.crt"\
--certs-update-server --certs-update-server-ca
To use them inside a NEW $CAPSULE, run this command:
capsule-certs-generate --capsule-fqdn ""\
--certs-tar "~/-certs.tar"\
--server-cert "sjagtap.abc.com.crt"\
--server-cert-req "sjagtap.abc.com.crt.req"\
--server-key "sjagtap.abc.com.key"\
--server-ca-cert "cacert.crt"\
To use them inside an EXISTING $CAPSULE, run this command INSTEAD:
capsule-certs-generate --capsule--fqdn ""\
--certs-tar "~/-certs.tar"\
--server-cert "/root/sjagtap.abc.com/sjagtap.abc.com.crt"\
--server-cert-req "/root/sjagtap.abc.com/sjagtap.abc.com.crt.req"\
--server-key "/root/sjagtap.abc.com/sjagtap.abc.com.key"\
--server-ca-cert "/root/sjagtap.abc.com/cacert.crt"\
I see the added option for satellite-installer -certs-update-server for updating the certs , but the option is still missing for EXISTING $CAPSULE as per comment #1
Build: Satellite 6.2.9 snap 3
katello-certs-check -c sjagtap.abc.com.crt -k sjagtap.abc.com.key -r sjagtap.abc.com.crt.req -b cacert.crt
Validating the certificate subject= /C=US/ST=State or Providence/O=My Company/CN=sjagtap.abc.com
Check private key matches the certificate: [OK]
Check ca bundle verifies the cert file: [OK]
Validation succeeded.
To install the Satellite main server with the custom certificates, run:
satellite-installer --scenario satellite\
--certs-server-cert "sjagtap.abc.com.crt"\
--certs-server-cert-req "sjagtap.abc.com.crt.req"\
--certs-server-key "sjagtap.abc.com.key"\
--certs-server-ca-cert "cacert.crt"
To update the certificates on a currently running Satellite installation, run:
satellite-installer --scenario satellite\
--certs-server-cert "sjagtap.abc.com.crt"\
--certs-server-cert-req "sjagtap.abc.com.crt.req"\
--certs-server-key "sjagtap.abc.com.key"\
--certs-server-ca-cert "cacert.crt"\
--certs-update-server --certs-update-server-ca
To use them inside a NEW $CAPSULE, run this command:
capsule-certs-generate --capsule-fqdn ""\
--certs-tar "~/-certs.tar"\
--server-cert "sjagtap.abc.com.crt"\
--server-cert-req "sjagtap.abc.com.crt.req"\
--server-key "sjagtap.abc.com.key"\
--server-ca-cert "cacert.crt"\
To use them inside an EXISTING $CAPSULE, run this command INSTEAD:
capsule-certs-generate --capsule--fqdn ""\
--certs-tar "~/-certs.tar"\
--server-cert "/root/sjagtap.abc.com/sjagtap.abc.com.crt"\
--server-cert-req "/root/sjagtap.abc.com/sjagtap.abc.com.crt.req"\
--server-key "/root/sjagtap.abc.com/sjagtap.abc.com.key"\
--server-ca-cert "/root/sjagtap.abc.com/cacert.crt"\
--certs-update-server
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1191 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1191 |
Description of problem: When using `katello-certs-check` the `capsule-certs-generate` command that is provided is assuming that we are only updating a capsule certificates, and not generating them for the first time. If we indeed use this command to generate certs for a fresh capsule, we will encounter an error because the directories for that capsule do not yet exist. This is in reference to the '--certs-update-server' argument. This argument is only necessary to update certificates that were already created before. If we are generating a fresh pair of certs for a fresh capsule, we want to omit this argument to create a fresh directory and certificate set for the capsule without a traceback. Version-Release number of selected component (if applicable): 6.2.7 How reproducible: 100% Steps to Reproduce: 1. Run katello-certs-check against cert set 2. Use command provided to generate certs for a non-existent capsule Actual results: # katello-certs-check -c wild_cragcap61.usersys.redhat.com.crt -k wild_cragcap61.usersys.redhat.com.key -r wild_cragcap61.usersys.redhat.com.csr -b CA-crt.pem <snip> To use them inside a $CAPSULE, run this command INSTEAD: capsule-certs-generate --capsule-fqdn ""\ --certs-tar "~/-certs.tar"\ --server-cert "newcapsule.crt"\ --server-cert-req "newcapsule.csr"\ --server-key "newcapsule.key"\ --server-ca-cert "CA-crt.pem"\ --certs-update-server </snip> When running the provided command: # capsule-certs-generate --capsule-fqdn "newcapsule.example.com" --certs-tar "~/newcapsule-certs.tar" --server-cert "newcapsule.crt" --server-cert-req "newcapsule.csr" --server-key "newcapsule.key" --server-ca-cert "CA-crt.pem" --certs-update-server Marking certificate /root/ssl-build/newcapsule.example.com/newcapsule.example.com-apache for update /usr/share/ruby/fileutils.rb:1145:in `initialize': No such file or directory - /root/ssl-build/newcapsule.example.com/newcapsule.example.com-apache.update (Errno::ENOENT) from /usr/share/ruby/fileutils.rb:1145:in `open' from /usr/share/ruby/fileutils.rb:1145:in `rescue in block in touch' from /usr/share/ruby/fileutils.rb:1141:in `block in touch' from /usr/share/ruby/fileutils.rb:1139:in `each' from /usr/share/ruby/fileutils.rb:1139:in `touch' from /usr/share/katello-installer-base/hooks/pre/20-certs_update.rb:18:in `mark_for_update' from /usr/share/katello-installer-base/hooks/pre/20-certs_update.rb:38:in `block (4 levels) in load' from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hooking.rb:34:in `instance_eval' from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hooking.rb:34:in `block (4 levels) in load' from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hook_context.rb:13:in `instance_exec' from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hook_context.rb:13:in `execute' from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hooking.rb:51:in `block in execute' from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hooking.rb:49:in `each' from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hooking.rb:49:in `execute' from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/kafo_configure.rb:375:in `run_installation' from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/kafo_configure.rb:141:in `execute' from /usr/share/gems/gems/clamp-0.6.2/lib/clamp/command.rb:67:in `run' from /usr/share/gems/gems/clamp-0.6.2/lib/clamp/command.rb:125:in `run' from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/kafo_configure.rb:148:in `run' from /usr/sbin/capsule-certs-generate:50:in `<main>' Expected results: katello-certs-check should give us two options, for the different scenarios. One for new capsules, and one for updating certs-tars for existing capsules: # katello-certs-check -c wild_cragcap61.usersys.redhat.com.crt -k wild_cragcap61.usersys.redhat.com.key -r wild_cragcap61.usersys.redhat.com.csr -b CA-crt.pem <snip> To use them inside a NEW $CAPSULE, run this command: capsule-certs-generate --capsule-fqdn ""\ --certs-tar "~/-certs.tar"\ --server-cert "newcapsule.crt"\ --server-cert-req "newcapsule.csr"\ --server-key "newcapsule.key"\ --server-ca-cert "CA-crt.pem" To use them inside an EXISTING $CAPSULE, run this command INSTEAD: capsule-certs-generate --capsule-fqdn ""\ --certs-tar "~/-certs.tar"\ --server-cert "newcapsule.crt"\ --server-cert-req "newcapsule.csr"\ --server-key "newcapsule.key"\ --server-ca-cert "CA-crt.pem" </snip> Additional info: This came about as a documentation bug that is actually caused by this oversight. This is being tracked in RHBZ https://bugzilla.redhat.com/show_bug.cgi?id=1417399.