Bug 1482697

Summary: Problem enabling SSL connections to CF database node
Product: Red Hat CloudForms Management Engine Reporter: Saif Ali <saali>
Component: ApplianceAssignee: Nick Carboni <ncarboni>
Status: CLOSED CURRENTRELEASE QA Contact: luke couzens <lcouzens>
Severity: medium Docs Contact:
Priority: high    
Version: 5.7.0CC: abellott, jhardy, lcouzens, ncarboni, obarenbo
Target Milestone: GAKeywords: TestOnly
Target Release: 5.10.0Flags: lcouzens: needinfo-
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 5.10.0.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1527625 (view as bug list) Environment:
Last Closed: 2018-06-21 21:03:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1527625    

Description Saif Ali 2017-08-17 22:24:13 UTC 
Description of problem:
We are following section 4.2 of the CF 4.2 Appliance Hardening Guide to enable SSL connections to our database appliance.  We completed the steps for the database appliance and have copied the root.crt to another connecting appliance; however, when we test the connection we get the following output:

[root@ahost ~]# psql -h aplcfdbp01.mmacct.root.mds -d vmdb_production
psql: SSL error: certificate verify failed
FATAL:  no pg_hba.conf entry for host "10.130.43.50", user "root", database "vmdb_production", SSL off

The pg_hba.conf file on the database appliance contains the following, and postgresql.conf has been updated per documentation:
# TYPE  DATABASE USER  ADDRESS       METHOD
local   all      all                 peer map=usermap
#host    all      all   all           md5
hostssl  all      all   all           md5
host  replication  all  all  md5


Version-Release number of selected component (if applicable):
5.7.2

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 7 luke couzens 2017-08-29 15:26:50 UTC 
I can't seem to reproduce this in 5.7.3, only seeing this on 5.7.2.

I did however notice something else that maybe the reason for this working in later builds, it seems that after enabling ssl on an appliance you can still connect to it without first copying the root.crt to /root/.postgresql/ location of the client appliance.

Correct me if I am wrong but I am not sure this should be possible, as far as I understand it we should require the cert to connect to the appliance database? 

Perhaps in later builds it seems as though this original issue is fixed but in reality we are not actually connecting to the database with the cert.
Comment 8 Nick Carboni 2017-12-12 20:00:39 UTC 
After looking into our process for enabling ssl on the database it seems like none of the client configuration steps should be necessary.

Additionally, the /var/www/miq/vmdb/certs/root.crt file is not needed.

After seeing this, I created the following PRs to enable ssl using a newly generated cert on database creation:

https://github.com/ManageIQ/manageiq-appliance_console/pull/22
https://github.com/ManageIQ/manageiq-appliance/pull/162

These should remove the need for this portion of the documentation as it exists today.

We may want to add separate sections about using your own certs or configuring clients to only connect to database servers which are running using ssl. I'll open a separate docs BZ to track that after the PRs are merged.
Comment 9 Nick Carboni 2017-12-18 20:24:44 UTC 
Moving this to post. A newly created internal database will be automatically configured to use ssl connections.
Comment 11 luke couzens 2018-06-21 07:30:57 UTC 
Verified in 5.10