Bug 2090820

Summary: satellite upgrade to 6.11 fails in installer with "Could not open SSL root certificate file /root/.postgresql/root.crt" error for external DB setup
Product: Red Hat Satellite Reporter: Gaurav Talreja <gtalreja>
Component: InstallationAssignee: Amit Upadhye <aupadhye>
Status: CLOSED ERRATA QA Contact: Gaurav Talreja <gtalreja>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.11.0CC: aupadhye, egolov, ehelms, pcreech, vijsingh
Target Milestone: 6.11.0Keywords: Regression, Triaged, UpgradeBlocker, Upgrades
Target Release: Unused   
Hardware: All   
OS: Unspecified   
Whiteboard:
Fixed In Version: rubygem-foreman_maintain-1.0.12 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-07-05 14:35:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gaurav Talreja 2022-05-26 15:47:44 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
Satellite 6.10.6 

How reproducible:
Always

Steps to Reproduce:
1. Prepare Satellite 6.10.6 with external PostgreSQL (with SSL)
2. Setup all required repositories and upgrade foreman-maintain packages
3. # foreman-maintain upgrade run --target-version 6.11 --whitelist='repositories-validate,repositories-setup'
...
Running Migration scripts to Satellite 6.11
================================================================================
Setup repositories:                                                   [SKIPPED]
--------------------------------------------------------------------------------
Unlock packages:                                                      [OK]
--------------------------------------------------------------------------------
Update package(s) :                                                   [OK]
--------------------------------------------------------------------------------
Procedures::Installer::Upgrade: 2022-05-26 11:15:55 [NOTICE] [root] Loading installer configuration. This will take some time.
2022-05-26 11:16:02 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
2022-05-26 11:16:02 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
2022-05-26 11:16:08 [WARN  ] [pre] Skipping system checks.
2022-05-26 11:16:08 [WARN  ] [pre] Skipping system checks.
2022-05-26 11:16:33 [NOTICE] [configure] Starting system configuration.
2022-05-26 11:16:48 [NOTICE] [configure] 250 configuration steps out of 1849 steps complete.
2022-05-26 11:17:04 [NOTICE] [configure] 500 configuration steps out of 1851 steps complete.
2022-05-26 11:17:11 [ERROR ] [configure] Execution of '/usr/share/candlepin/cpdb --update --dbhost=<satellite> --dbport=5432 --database=candlepin1db?ssl=true --user=candlepin1! --<passwd>=RedHat1!' returned 1: ########## ERROR ############
2022-05-26 11:17:11 [ERROR ] [configure] Error running command: /usr/share/candlepin/liquibase.sh --driver=org.postgresql.Driver --classpath=/var/lib/tomcat/webapps/candlepin/WEB-INF/lib/postgresql-42.3.3.jar:/var/lib/tomcat/webapps/candlepin/WEB-INF/classes/ --changeLogFile=db/changelog/changelog-update.xml --url="jdbc:postgresql://<satellite>:5432/candlepin1db?ssl=true" --username=$DBUSERNAME --<passwd>=$DB<passwd> --logLevel=severe migrate -Dcommunity=False
2022-05-26 11:17:11 [ERROR ] [configure] Status code: 65280
2022-05-26 11:17:11 [ERROR ] [configure] Command output: Liquibase update Failed: liquibase.exception.DatabaseException: org.postgresql.util.PSQLException: Could not open SSL root certificate file /root/.postgresql/root.crt.
2022-05-26 11:17:11 [ERROR ] [configure] SEVERE 5/26/22, 11:17 AM:liquibase: liquibase.exception.DatabaseException: org.postgresql.util.PSQLException: Could not open SSL root certificate file /root/.postgresql/root.crt.
2022-05-26 11:17:11 [ERROR ] [configure] liquibase.exception.DatabaseException: liquibase.exception.DatabaseException: org.postgresql.util.PSQLException: Could not open SSL root certificate file /root/.postgresql/root.crt.
2022-05-26 11:17:11 [ERROR ] [configure] at liquibase.integration.commandline.CommandLineUtils.createDatabaseObject(CommandLineUtils.java:61)
2022-05-26 11:17:11 [ERROR ] [configure] at liquibase.integration.commandline.Main.doMigration(Main.java:788)
2022-05-26 11:17:11 [ERROR ] [configure] at liquibase.integration.commandline.Main.main(Main.java:133)
2022-05-26 11:17:11 [ERROR ] [configure] Caused by: liquibase.exception.DatabaseException: org.postgresql.util.PSQLException: Could not open SSL root certificate file /root/.postgresql/root.crt.
2022-05-26 11:17:11 [ERROR ] [configure] at liquibase.database.DatabaseFactory.openConnection(DatabaseFactory.java:231)
2022-05-26 11:17:11 [ERROR ] [configure] at liquibase.database.DatabaseFactory.openDatabase(DatabaseFactory.java:141)
2022-05-26 11:17:11 [ERROR ] [configure] at liquibase.integration.commandline.CommandLineUtils.createDatabaseObject(CommandLineUtils.java:52)
2022-05-26 11:17:11 [ERROR ] [configure] ... 2 more
2022-05-26 11:17:11 [ERROR ] [configure] Caused by: org.postgresql.util.PSQLException: Could not open SSL root certificate file /root/.postgresql/root.crt.
2022-05-26 11:17:11 [ERROR ] [configure] at org.postgresql.ssl.LibPQFactory.<init>(LibPQFactory.java:150)
2022-05-26 11:17:11 [ERROR ] [configure] at org.postgresql.core.SocketFactoryFactory.getSslSocketFactory(SocketFactoryFactory.java:61)
2022-05-26 11:17:11 [ERROR ] [configure] at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:34)
2022-05-26 11:17:11 [ERROR ] [configure] at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:571)
2022-05-26 11:17:11 [ERROR ] [configure] at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:168)
2022-05-26 11:17:11 [ERROR ] [configure] at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:235)
2022-05-26 11:17:11 [ERROR ] [configure] at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
2022-05-26 11:17:11 [ERROR ] [configure] at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:223)
2022-05-26 11:17:11 [ERROR ] [configure] at org.postgresql.Driver.makeConnection(Driver.java:400)
2022-05-26 11:17:11 [ERROR ] [configure] at org.postgresql.Driver.connect(Driver.java:259)
2022-05-26 11:17:11 [ERROR ] [configure] at liquibase.database.DatabaseFactory.openConnection(DatabaseFactory.java:223)
2022-05-26 11:17:11 [ERROR ] [configure] ... 4 more
2022-05-26 11:17:11 [ERROR ] [configure] Caused by: java.io.FileNotFoundException: /root/.postgresql/root.crt (No such file or directory)
2022-05-26 11:17:11 [ERROR ] [configure] at java.base/java.io.FileInputStream.open0(Native Method)
2022-05-26 11:17:11 [ERROR ] [configure] at java.base/java.io.FileInputStream.open(FileInputStream.java:219)
2022-05-26 11:17:11 [ERROR ] [configure] at java.base/java.io.FileInputStream.<init>(FileInputStream.java:157)
2022-05-26 11:17:11 [ERROR ] [configure] at java.base/java.io.FileInputStream.<init>(FileInputStream.java:112)
2022-05-26 11:17:11 [ERROR ] [configure] at org.postgresql.ssl.LibPQFactory.<init>(LibPQFactory.java:147)
2022-05-26 11:17:11 [ERROR ] [configure] ... 14 more
...

Actual results:
Upgrade fails

Expected results:
Successful upgrade to 6.11

Additional info:
Seems related to https://bugzilla.redhat.com/show_bug.cgi?id=2062189
Comment 8 Amit Upadhye 2022-06-07 10:27:42 UTC 
Created redmine issue https://projects.theforeman.org/issues/35029 from this bug
Comment 9 Bryan Kearney 2022-06-08 12:04:38 UTC 
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/35029 has been resolved.
Comment 10 Gaurav Talreja 2022-06-13 19:51:28 UTC 
Hi,

Tested upgrade for Satellite with external DB SSL setup from 6.10.7 to 6.11, and it works perfectly by adding new required flag to the installer step in the 6.11 upgrade scenario.

--------------------------------------------------------------------------------
Run installer with Candlepin SSL CA when using external database with SSL:
- Running installer with --katello-candlepin-db-ssl-ca /usr/share/foreman/root.crt argument!
                                                                      [OK]
--------------------------------------------------------------------------------


As well, I check upgrades for regular Satellite and Satellite with external DB on non-SSL setup, which also return the below message for the installer step, so I was wondering if anyone knew if this flag is supposed to be set for these setups? if yes, so it is still set to UNDEF after an upgrade, or is it just a message from the description of the procedure?

--------------------------------------------------------------------------------
Run installer with Candlepin SSL CA when using external database with SSL:
| Executing installer                                                 [OK]
--------------------------------------------------------------------------------


As you can see, this description/message is misleading for regular and non-SSL Satellite setups, so I believe it should only be modified if `extdb_and_ssl?`, so how do you recommend handling this BZ?


Thanks,
Gaurav
Comment 11 Amit Upadhye 2022-06-14 10:25:50 UTC 
Hello Gaurav,

Thanks for testing the change.

I feel the current messaging is correct as we also show if installer is getting executed with extra options in both cases. We can change the description of the procedure however I also feel that's the use of the procedure?

This should not be the blocker for the GA, if required another bugzilla can be opened to change the description if needed.

Regards,
Amit Upadhye.
Comment 12 Gaurav Talreja 2022-06-14 12:36:18 UTC 
Hello Amit,

Thanks for looking into this.

>> I feel the current messaging is correct as we also show if an installer is getting executed with extra options in both cases. We can change the description of the procedure however I also feel that's the use of the procedure?

Looking at the code below I don't think an installer is executed with extra options in both cases, but shouldn't the extra options be specific to extdb_and_ssl? 
```
    def run
      if extdb_and_ssl?
        run_installer_with_extra_option
      else
        run_installer
      end
    end
```
and if the installer runs with extra options for both cases then I check it is not being set after a successful upgrade to 6.11 for regular and non-SSL external DB Satellite setups

# satellite-installer --full-help | grep katello-candlepin-db-ssl-ca
    --katello-candlepin-db-ssl-ca  The CA certificate to verify the SSL connection to the database with (current: UNDEF)
    --reset-katello-candlepin-db-ssl-ca Reset candlepin_db_ssl_ca to the default value (UNDEF)

>> This should not be the blocker for the GA, if required another bugzilla can be opened to change the description if needed.
Yes, I totally agree with you. I've opened a BZ to track this description issue separately BZ 2096849.

Hence verifying this BZ for Satellite 6.11.0 Snap 24.0 with version rubygem-foreman_maintain-1.0.12-1.el7sat.noarch
Comment 15 errata-xmlrpc 2022-07-05 14:35:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5498