Bug 1508621

Summary: hammer SSL errors when using custom certificates on Satellite server
Product: Red Hat Satellite Reporter: Eric Helms <ehelms>
Component: InstallationAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED DUPLICATE QA Contact: Katello QA List <katello-qa-list>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.3.0CC: bbuckingham
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-08 15:07:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eric Helms 2017-11-01 19:24:33 UTC 
Description of problem:
On a default install of 6.3, when using custom certificates, hammer will throw an SSL error due to being configured to use the wrong SSL CA certificate.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Install 6.3 with custom certificates
2. Run 'hammer organization list'
3.

Actual results:
Could not load the API description from the server: SSL certificate verification failed

Expected results:
Hammer lists organizations

Additional info:

This breaks due to /etc/hammer/cli.modules.d/foreman.yml being configured to have ssl_ca_file pointed at /etc/pki/katello/certs/katello-default-ca.crt. This certificate is not the CA being used by the Foreman webserver when custom certificates are being used. Rather, this should be configured to point at:

/etc/pki/katello/certs/katello-server-ca.crt

This comes from the fact that puppet-foreman cli modules (in the installer as foreman::cli) configures the ssl_ca_file based on the server_ssl_ca parameter from the main Foreman configuration [1]. This should either be explicitly configured in the installer or the logic updated here to grab the server_ssl_chain.


[1] https://github.com/theforeman/puppet-foreman/blob/master/manifests/cli.pp#L47
Comment 2 Brad Buckingham 2017-11-08 15:07:29 UTC 
This appears to be a duplicate of bug 1501980

*** This bug has been marked as a duplicate of bug 1501980 ***