Bug 1733250

Summary:	katello-change-hostname fails with ERROR '/opt/puppetlabs/bin/puppetserver ca setup' returned 1 instead of one of [0]
Product:	Red Hat Satellite	Reporter:	Jonathon Turel <jturel>
Component:	Infrastructure	Assignee:	Jonathon Turel <jturel>
Status:	CLOSED ERRATA	QA Contact:	Peter Dragun <pdragun>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	6.6.0	CC:	egolov, inecas
Target Milestone:	6.6.0	Keywords:	Triaged
Target Release:	Unused
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	katello-3.12.0-2	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-10-22 19:49:44 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jonathon Turel 2019-07-25 14:10:44 UTC

katello-change-hostname fails with ERROR when /opt/puppetlabs/bin/puppetserver ca setup tried to replace existing certs/keys during installer run

<pre>
# katello-change-hostname qe-foreman-rhel7-tier1.example.com -y -u admin -p changeme

Checking hostname validity

Checking overall health of server

Checking credentials

Updating default Foreman Proxy
Updating installation media paths
updating hostname in /etc/hostname
setting hostname
checking if hostname was changed
stopping services
removing old cert rpms
deleting old certs
backed up /var/www/html/pub to /var/www/html/pub/qe-foreman-rhel7.example.com-20190708104807.backup
updating hostname in /etc/hosts
updating hostname in foreman installer scenarios
backing up last_scenario.yaml
removing last_scenario.yaml
re-running the installer
foreman-installer --scenario katello -v --disable-system-checks --certs-regenerate=true --foreman-proxy-register-in-foreman true
restoring last_scenario.yaml
cleaning up temporary files
[ INFO 2019-07-08T10:48:37 verbose] Executing hooks in group pre_migrations
...

[ WARN 2019-07-08T10:49:26 verbose]  /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns: Error:
[ WARN 2019-07-08T10:49:26 verbose]  /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns: Existing file at '/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem'
[ WARN 2019-07-08T10:49:26 verbose]  /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns: Existing file at '/etc/puppetlabs/puppet/ssl/ca/ca_crl.pem'
[ WARN 2019-07-08T10:49:26 verbose]  /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns: Existing file at '/etc/puppetlabs/puppet/ssl/ca/infra_crl.pem'
[ WARN 2019-07-08T10:49:26 verbose]  /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns: Existing file at '/etc/puppetlabs/puppet/ssl/certs/ca.pem'
[ WARN 2019-07-08T10:49:26 verbose]  /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns: Existing file at '/etc/puppetlabs/puppet/ssl/crl.pem'
[ WARN 2019-07-08T10:49:26 verbose]  /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns: Existing file at '/etc/puppetlabs/puppet/ssl/ca/ca_pub.pem'
[ WARN 2019-07-08T10:49:26 verbose]  /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns: Existing file at '/etc/puppetlabs/puppet/ssl/ca/inventory.txt'
[ WARN 2019-07-08T10:49:26 verbose]  /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns: Existing file at '/etc/puppetlabs/puppet/ssl/ca/infra_inventory.txt'
[ WARN 2019-07-08T10:49:26 verbose]  /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns: Existing file at '/etc/puppetlabs/puppet/ssl/ca/infra_serials'
[ WARN 2019-07-08T10:49:26 verbose]  /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns: Existing file at '/etc/puppetlabs/puppet/ssl/ca/serial'
[ WARN 2019-07-08T10:49:26 verbose]  /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns: Existing file at '/etc/puppetlabs/puppet/ssl/ca/root_key.pem'
[ WARN 2019-07-08T10:49:26 verbose]  /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns: Existing file at '/etc/puppetlabs/puppet/ssl/ca/ca_key.pem'
[ WARN 2019-07-08T10:49:26 verbose]  /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns: If you would really like to replace your CA, please delete the existing files first.
[ WARN 2019-07-08T10:49:26 verbose]  /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns: Note that any certificates that were issued by this CA will become invalid if you
[ WARN 2019-07-08T10:49:26 verbose]  /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns: replace it!
[ERROR 2019-07-08T10:49:26 verbose]  '/opt/puppetlabs/bin/puppetserver ca setup' returned 1 instead of one of [0]
</pre>

On nightly there is extra line saying "restoring last_scenario.yaml" while downstream 6.6 is OK without this line

<pre>
foreman-1.23.0-0.12.develop.20190707155541git1100d84.el7.noarch
katello-3.13.0-0.3.master.el7.noarch
katello-common-3.13.0-0.3.master.el7.noarch
</pre>

Comment 1 Jonathon Turel 2019-07-25 14:10:47 UTC

Created from redmine issue https://projects.theforeman.org/issues/27255

Comment 2 Jonathon Turel 2019-07-25 14:10:48 UTC

Upstream bug assigned to jturel

Comment 4 Jonathon Turel 2019-07-25 14:20:29 UTC

The change for this problem contained two fixes:

The puppet error which was reported does not affect 6.6, however, satellite(katello)-change-hostname was broken for Capsules and that fix is included.

To test:

- Register a 6.6 capsule to a Satellite
- On the Satellite use 'foreman-proxy-content-certs-generate' to generate the tarball of certs for the new desired hostname of the Capsule
- Transfer the tarball to the capsule
- Change the hostname on the Capsule: satellite-change-hostname newcapsulehostname.example.com --certs-tar <path to tarball> -u admin -p changeme


The command should succeed. In previous snaps it would fail due to giving the installer an invalid parameter: foreman-proxy-content-certs-tar

Comment 5 Bryan Kearney 2019-07-31 14:08:02 UTC

Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/27255 has been resolved.

Comment 7 Peter Dragun 2019-09-13 13:01:53 UTC

Verfied on Satellite 6.6 snap 19 using command from problem description. Hostname is successfully changed.

Output:
... 
[ WARN 2019-09-13T08:28:53 verbose]  /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns: executed successfully
...
**** Hostname change complete! ****

Comment 8 Bryan Kearney 2019-10-22 19:49:44 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3172