Bug 2124568

Summary:	'candlepin-validate-db' pre-upgrade check fails with "Could not open SSL root certificate file /root/.postgresql/root.crt" error for external DB setup with SSL
Product:	Red Hat Satellite	Reporter:	Gaurav Talreja <gtalreja>
Component:	Satellite Maintain	Assignee:	Amit Upadhye <aupadhye>
Status:	CLOSED ERRATA	QA Contact:	Gaurav Talreja <gtalreja>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	6.12.0	CC:	apatel, aupadhye, ehelms, kgaikwad, pcreech
Target Milestone:	6.12.0	Keywords:	Regression, Triaged, UpgradeBlocker
Target Release:	Unused
Hardware:	All
OS:	All
Whiteboard:
Fixed In Version:	rubygem-foreman_maintain-1.1.6	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	2131781 (view as bug list)		Environment:
Last Closed:	2022-11-16 13:35:39 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Gaurav Talreja 2022-09-06 14:04:44 UTC

Description of problem:
satellite pre-upgrade check to validate candlepin db 'candlepin-validate-db' fails with "Could not open SSL root certificate file /root/.postgresql/root.crt" error for external DB setup with SSL

Version-Release number of selected component (if applicable):
Satellite 6.11.2 Snap 2.0 and Satellite 6.12.0 Snap 9.0

How reproducible:
Always

Steps to Reproduce:
1. # foreman-maintain upgrade check --target-version 6.12
OR
1. # foreman-maintain health check --label candlepin-validate-db
```
--------------------------------------------------------------------------------
Check to validate candlepin database:                                 [FAIL]
########## ERROR ############
Error running command: /usr/share/candlepin/liquibase.sh --driver=org.postgresql.Driver --classpath=/var/lib/tomcat/webapps/candlepin/WEB-INF/lib/postgresql-42.3.3.jar:/var/lib/tomcat/webapps/candlepin/WEB-INF/classes/ --changeLogFile=db/changelog/changelog-validate.xml --url="jdbc:postgresql://satellite.example.com:5432/candlepin1db?ssl=true" --username=$DBUSERNAME --password=$DBPASSWORD --logLevel=debug migrate -Dcommunity=False
Status code: 255
Command output: Liquibase update Failed: liquibase.exception.DatabaseException: org.postgresql.util.PSQLException: Could not open SSL root certificate file /root/.postgresql/root.crt.
SEVERE 9/6/22, 9:09 AM:liquibase: liquibase.exception.DatabaseException: org.postgresql.util.PSQLException: Could not open SSL root certificate file /root/.postgresql/root.crt.
liquibase.exception.DatabaseException: liquibase.exception.DatabaseException: org.postgresql.util.PSQLException: Could not open SSL root certificate file /root/.postgresql/root.crt.
	at liquibase.integration.commandline.CommandLineUtils.createDatabaseObject(CommandLineUtils.java:61)
	at liquibase.integration.commandline.Main.doMigration(Main.java:788)
	at liquibase.integration.commandline.Main.main(Main.java:133)
Caused by: liquibase.exception.DatabaseException: org.postgresql.util.PSQLException: Could not open SSL root certificate file /root/.postgresql/root.crt.
	at liquibase.database.DatabaseFactory.openConnection(DatabaseFactory.java:231)
	at liquibase.database.DatabaseFactory.openDatabase(DatabaseFactory.java:141)
	at liquibase.integration.commandline.CommandLineUtils.createDatabaseObject(CommandLineUtils.java:52)
	... 2 more
Caused by: org.postgresql.util.PSQLException: Could not open SSL root certificate file /root/.postgresql/root.crt.
	at org.postgresql.ssl.LibPQFactory.<init>(LibPQFactory.java:150)
	at org.postgresql.core.SocketFactoryFactory.getSslSocketFactory(SocketFactoryFactory.java:61)
	at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:34)
	at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:571)
	at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:168)
	at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:235)
	at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
	at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:223)
	at org.postgresql.Driver.makeConnection(Driver.java:400)
	at org.postgresql.Driver.connect(Driver.java:259)
	at liquibase.database.DatabaseFactory.openConnection(DatabaseFactory.java:223)
	... 4 more
Caused by: java.io.FileNotFoundException: /root/.postgresql/root.crt (No such file or directory)
	at java.base/java.io.FileInputStream.open0(Native Method)
	at java.base/java.io.FileInputStream.open(FileInputStream.java:219)
	at java.base/java.io.FileInputStream.<init>(FileInputStream.java:157)
	at java.base/java.io.FileInputStream.<init>(FileInputStream.java:112)
	at org.postgresql.ssl.LibPQFactory.<init>(LibPQFactory.java:147)
	... 14 more


For more information, use the --logLevel flag
Configuring PostgreSQL with JDBC URL: jdbc:postgresql://satellite.example.com:5432/candlepin1db?ssl=true
Validating Candlepin database
--driver=org.postgresql.Driver --classpath=/var/lib/tomcat/webapps/candlepin/WEB-INF/lib/postgresql-42.3.3.jar:/var/lib/tomcat/webapps/candlepin/WEB-INF/classes/ --changeLogFile=db/changelog/changelog-validate.xml --url="jdbc:postgresql://satellite.example.com:5432/candlepin1db?ssl=true" --username=$DBUSERNAME --password=$DBPASSWORD --logLevel=debug
Traceback (most recent call last):
  File "/usr/share/candlepin/cpdb", line 287, in <module>
    dbsetup.validate()
  File "/usr/share/candlepin/cpdb", line 75, in validate
    self._run_liquibase("db/changelog/changelog-validate.xml")
  File "/usr/share/candlepin/cpdb", line 114, in _run_liquibase
    output = run_command("/usr/share/candlepin/liquibase.sh %s migrate -Dcommunity=%s" % (liquibase_options, self.community))
  File "/usr/share/candlepin/cpdb", line 43, in run_command
    error_out(command, status, output)
  File "/usr/share/candlepin/cpdb", line 51, in error_out
    raise Exception("Error running command")
Exception: Error running command
--------------------------------------------------------------------------------
```

Actual results:


Expected results:


Additional info:
Seems similar to BZ 2090820

Comment 1 Eric Helms 2022-09-12 17:56:30 UTC

Can you expand on how you installed your Satellite 6.11 with external database with SSL? To do so, you would have needed to run the installer with `--katello-candlepin-db-ssl-ca` which should then have avoided this issue.

Comment 3 Bryan Kearney 2022-09-19 16:04:56 UTC

Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/35533 has been resolved.

Comment 5 Gaurav Talreja 2022-09-26 07:32:06 UTC

Verified.

Tested on Satellite 6.12.0 Snap 12.0 
Version: rubygem-foreman_maintain-1.1.6-1.el8sat.noarch

Steps:
1. Setup Satellite 6.11 with External DB with SSL along with 6.12 repos required for upgrade.
2. # foreman-maintain upgrade check --target-version 6.12
OR
2. # foreman-maintain health check --label candlepin-validate-db

Observation:
candlepin-validate-db check passes without any errors.

Comment 9 errata-xmlrpc 2022-11-16 13:35:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.12 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:8506

Comment 10 Red Hat Bugzilla 2023-09-19 04:25:56 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days