Description of problem:
Due to different approach between certificate generations and /etc/tomcat/cert-users.properties generation is possible to get authentication errors in candlepin.
If any empty string is used in certs part of /etc/foreman-installer/scenarios.d/satellite-answers.yaml as below
---
certs:
country: US
state: '' <<<<<<<<<
city: Raleigh
org: Katello
org_unit: '' <<<<<<<<
certificate is generated without ST and OU as below
# grep Subject /etc/pki/katello/certs/java-client.crt
Subject: C=US, O=candlepin, CN=localhost
however /etc/tomcat/cert-users.properties is generate with empty OU and ST as below
# cat /etc/tomcat/cert-users.properties
katelloUser=CN=localhost, OU=, O=candlepin, ST=, C=US
due to this mismatch authentication errors appear in /var/log/candlepin/error.log as below
2021-05-24 17:00:54,608 [thread=Thread-16 (activemq-netty-threads)] [=, org=, csid=] WARN org.apache.activemq.artemis.core.server - AMQ222216: Security problem while authenticating: AMQ229031: Unable to validate user from /127.0.0.1:54708. Username: null; SSL certificate subject DN: CN=localhost, O=candlepin, C=US
2021-05-24 17:00:54,609 [thread=Thread-16 (activemq-netty-threads)] [=, org=, csid=] WARN org.apache.activemq.artemis.core.protocol.stomp - AMQ332069: Sent ERROR frame to STOMP client /127.0.0.1:54708: Security Error occurred: User name [null] or password is invalid
and hammer ping
# hammer ping
candlepin_events:
Status: FAIL
message: Not running
Server Response: Duration: 2ms
Version-Release number of selected component (if applicable):
At least since satellite-installer-6.8.0.11-1.el7sat.noarch
How reproducible: Always
Steps to Reproduce:
1. Update /etc/foreman-installer/scenarios.d/satellite-answers.yaml
2. Fill some empty strings in certs category as 'state'
3. # satellite-installer --certs-regenerate true --certs-update-all --certs-update-server --certs-update-server-ca
Actual results:
Auth errors and hammer ping FAIL
Expected results:
No errors, correct generation of /etc/tomcat/cert-users.properties
Additional info:
I tested various combinations of ST, OU and also few other cert parameters. No combination went to failing 'hammer ping'.
In case of empty 'state' parameter there was an unclear error message - new bug 2165107 created.
VERIFIED with Satellite 6.13 SNAP7.0 @RHEL8.7
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Important: Satellite 6.13 Release), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2023:2097