Bug 2144044

Summary: Error "no certificate or crl found" when using a http proxy as "Default Http Proxy" for content syncing or manifest operations in Satellite 6.12
Product: Red Hat Satellite Reporter: Sayan Das <saydas>
Component: RepositoriesAssignee: Partha Aji <paji>
Status: CLOSED ERRATA QA Contact: Vladimír Sedmík <vsedmik>
Severity: urgent Docs Contact:
Priority: high    
Version: 6.12.0CC: ahumbe, bhoppus, jpasqual, pcreech, pdwyer, rrajput, sadas, vsedmik, wclark
Target Milestone: 6.13.0Keywords: Regression, Triaged
Target Release: Unused   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2150118 (view as bug list) Environment:
Last Closed: 2023-05-03 13:23:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Hotfix RPM for Satellite 6.12.0 none

Description Sayan Das 2022-11-18 18:56:15 UTC 
Description of problem:

Satellite 6.12 cannot work with an http proxy whereas the same proxy can be used with Satellite 6.11.4 and works great. 


Version-Release number of selected component (if applicable):

Satellite 6.12.0


How reproducible:

100%


Steps to Reproduce:

1. Install a squid proxy server and run it on http://10.74.XXX.XX:3128  

2. Install a Satellite 6.12 

3. Import a subscription manifest

4. Create an HTTP proxy inside the Infrastructure --> HttP Proxies page using http://10.74.XXX.XX:3128 as the URL.

5. Set that as a "Default HTTP Proxy" in Administer --> Settings --> Content Tab 

6. Access the Content --> Subscriptions page

7. Try expanding \ checking any repository set from Content --> Red Hat Repositories page


Actual results:


Step 6

* UI Shows "no certificate or crl found"

* Satellite never even connects to proxy

* Production.log has this traceback 

2022-11-19T00:11:19 [E|app|ee15f1b2] Katello::HttpErrors::BadRequest: no certificate or crl found
 ee15f1b2 | /usr/share/gems/gems/katello-4.5.0.20/app/controllers/katello/api/v2/api_controller.rb:271:in `rescue in check_upstream_connection'
 ee15f1b2 | /usr/share/gems/gems/katello-4.5.0.20/app/controllers/katello/api/v2/api_controller.rb:268:in `check_upstream_connection'
 ee15f1b2 | /usr/share/gems/gems/activesupport-6.0.4.7/lib/active_support/callbacks.rb:428:in `block in make_lambda'
 ee15f1b2 | /usr/share/gems/gems/activesupport-6.0.4.7/lib/active_support/callbacks.rb:200:in `block (2 levels) in halting'
 ee15f1b2 | /usr/share/gems/gems/actionpack-6.0.4.7/lib/abstract_controller/callbacks.rb:34:in `block (2 levels) in <module:Callbacks>'
 ee15f1b2 | /usr/share/gems/gems/activesupport-6.0.4.7/lib/active_support/callbacks.rb:201:in `block in halting'
 ee15f1b2 | /usr/share/gems/gems/activesupport-6.0.4.7/lib/active_support/callbacks.rb:513:in `block in invoke_before'



Step 7

* UI shows "No Repositories available"

* Satellite never even connects to the proxy

* production.log shows the following traceback for the Actions::Katello::RepositorySet::ScanCdn task

2022-11-19T00:12:25 [E|bac|8732f73b] no certificate or crl found (OpenSSL::X509::StoreError)
 8732f73b | /usr/share/foreman/lib/foreman/util.rb:37:in `add_file'
 8732f73b | /usr/share/foreman/lib/foreman/util.rb:37:in `block in add_ca_bundle_to_store'
 8732f73b | /usr/share/ruby/tempfile.rb:291:in `open'
 8732f73b | /usr/share/foreman/lib/foreman/util.rb:34:in `add_ca_bundle_to_store'
 8732f73b | /usr/share/gems/gems/katello-4.5.0.20/app/lib/katello/resources/cdn.rb:53:in `initialize'
 8732f73b | /usr/share/gems/gems/katello-4.5.0.20/app/lib/katello/resources/cdn.rb:67:in `new'
 8732f73b | /usr/share/gems/gems/katello-4.5.0.20/app/lib/katello/resources/cdn.rb:67:in `create'
 8732f73b | /usr/share/gems/gems/katello-4.5.0.20/app/models/katello/product.rb:219:in `cdn_resource'
 8732f73b | /usr/share/gems/gems/katello-4.5.0.20/app/lib/actions/katello/repository_set/scan_cdn.rb:38:in `cdn_var_substitutor'
 8732f73b | /usr/share/gems/gems/katello-4.5.0.20/app/lib/actions/katello/repository_set/scan_cdn.rb:30:in `fetch_results'
 8732f73b | /usr/share/gems/gems/katello-4.5.0.20/app/lib/actions/katello/repository_set/scan_cdn.rb:24:in `run'
 8732f73b | /usr/share/gems/gems/dynflow-1.6.4/lib/dynflow/action.rb:582:in `block (3 levels) in execute_run'
 8732f73b | /usr/share/gems/gems/dynflow-1.6.4/lib/dynflow/middleware/stack.rb:27:in `pass'
 8732f73b | /usr/share/gems/gems/dynflow-1.6.4/lib/dynflow/middleware.rb:19:in `pass'




Expected results:


No such issues 


Additional info:
Comment 3 Partha Aji 2022-11-18 20:41:32 UTC 
Connecting redmine issue https://projects.theforeman.org/issues/35773 from this bug
Comment 5 Bryan Kearney 2022-12-01 04:03:33 UTC 
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/35773 has been resolved.
Comment 6 wclark 2022-12-05 16:03:43 UTC 
Created attachment 1930136 [details]
Hotfix RPM for Satellite 6.12.0

NOTE: This hotfix contains the fixes for the following BZs: 2144044, 2133615, 2133343, 2116375

INSTALL INSTRUCTIONS:

1. Take a complete backup or snapshot of Satellite 6.12.0 server

2. Download the hotfix RPM attached to this BZ and copy it to Satellite server

3. # dnf install ./rubygem-katello-4.5.0.20-3.HOTFIXRHBZ2144044.el8sat.noarch.rpm --disableplugin=foreman-protector

4. # satellite-maintain service restart
Comment 11 errata-xmlrpc 2023-05-03 13:23:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.13 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2097