Bug 1482697
Summary: | Problem enabling SSL connections to CF database node | |||
---|---|---|---|---|
Product: | Red Hat CloudForms Management Engine | Reporter: | Saif Ali <saali> | |
Component: | Appliance | Assignee: | Nick Carboni <ncarboni> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | luke couzens <lcouzens> | |
Severity: | medium | Docs Contact: | ||
Priority: | high | |||
Version: | 5.7.0 | CC: | abellott, jhardy, lcouzens, ncarboni, obarenbo | |
Target Milestone: | GA | Keywords: | TestOnly | |
Target Release: | 5.10.0 | Flags: | lcouzens:
needinfo-
|
|
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | 5.10.0.0 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1527625 (view as bug list) | Environment: | ||
Last Closed: | 2018-06-21 21:03:46 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1527625 |
Description
Saif Ali
2017-08-17 22:24:13 UTC
I can't seem to reproduce this in 5.7.3, only seeing this on 5.7.2. I did however notice something else that maybe the reason for this working in later builds, it seems that after enabling ssl on an appliance you can still connect to it without first copying the root.crt to /root/.postgresql/ location of the client appliance. Correct me if I am wrong but I am not sure this should be possible, as far as I understand it we should require the cert to connect to the appliance database? Perhaps in later builds it seems as though this original issue is fixed but in reality we are not actually connecting to the database with the cert. After looking into our process for enabling ssl on the database it seems like none of the client configuration steps should be necessary. Additionally, the /var/www/miq/vmdb/certs/root.crt file is not needed. After seeing this, I created the following PRs to enable ssl using a newly generated cert on database creation: https://github.com/ManageIQ/manageiq-appliance_console/pull/22 https://github.com/ManageIQ/manageiq-appliance/pull/162 These should remove the need for this portion of the documentation as it exists today. We may want to add separate sections about using your own certs or configuring clients to only connect to database servers which are running using ssl. I'll open a separate docs BZ to track that after the PRs are merged. Moving this to post. A newly created internal database will be automatically configured to use ssl connections. Verified in 5.10 |