Bug 599042

Summary: Installation over HTTPS Fails
Product: Red Hat Enterprise Linux 6 Reporter: Marko Myllynen <myllynen>
Component: anacondaAssignee: Ales Kozumplik <akozumpl>
Status: CLOSED ERRATA QA Contact: Release Test Team <release-test-team-automation>
Severity: low Docs Contact:
Priority: low    
Version: 6.1CC: akozumpl, atodorov, borgan, ddumas, jzeleny, kengert, rrelyea, slukasik, unwosu, xdmoon
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: anaconda-13.21.84-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 599040
: 660340 (view as bug list) Environment:
Last Closed: 2011-05-19 12:29:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 599040    
Bug Blocks: 647893, 660340    

Description Marko Myllynen 2010-06-02 15:10:20 UTC 
+++ This bug was initially created as a clone of Bug #599040 +++

Creating this bug report for tracking the feature in RHEL 6.

Description of problem:
When trying to do partly kickstart based installation of Fedora from an HTTPS repository, the attempt will fail if the certificate is self-signed (in other words it is not signed by a well-known CA). The user could make the used CA certificate trusted by modifying the global storage of trusted certificates (currently /etc/pki/tls/certs/ca-bundle.crt). This could be done in a %pre script, e.g:

%pre
cat >/etc/pki/tls/certs/ca-bundle.crt <<END
-----BEGIN CERTIFICATE-----
MIIEKjCCAxKgAwIBAgIQYAGXt0an6rS0mtZLL/eQ+zANBgkqhkiG9w0BAQsFADCB
rjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
MDggdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxJDAiBgNV
BAMTG3RoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EgLSBHMzAeFw0wODA0MDIwMDAwMDBa
Fw0zNzEyMDEyMzU5NTlaMIGuMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3Rl
LCBJbmMuMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9u
MTgwNgYDVQQLEy8oYykgMjAwOCB0aGF3dGUsIEluYy4gLSBGb3IgYXV0aG9yaXpl
ZCB1c2Ugb25seTEkMCIGA1UEAxMbdGhhd3RlIFByaW1hcnkgUm9vdCBDQSAtIEcz
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsr8nLPvb2FvdeHsbnndm
gcs+vHyu86YnmjSjaDFxODNi5PNxZnmxqWWjpYvVj2AtP0LMqmsywCPLLEHd5N/8
YZzic7IilRFDGF/Eth9XbAoFWCLINkw6fKXRz4aviKdEAhN0cXMKQlkC+BsUa0Lf
b1+6a4KinVvnSr0eAXLbS3ToO39/fR8EtCab4LRarEc9VbjXsCZSKAExQGbY2SS9
9irY7CFJXJv2eul/VTV+lmuNk5Mny5K76qxAwJ/C+IDPXfRa3M50hqY+bAtTyr2S
zhkGcuYMXDhpxwTWvGzOW/b3aJzcJRVIiKHpqfiYnODz1TEoYRFsZ5aNOZnLwkUk
OQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
HQ4EFgQUrWyqlGCc7eT/+j4KdCtjA/e2Wb8wDQYJKoZIhvcNAQELBQADggEBABpA
2JVlrAmSicY59BDlqQ5mU1143vokkbvnRFHfxhY0Cu9qRFHqKweKA3rD6z8KLFIW
oCtDuSWQP3CpMyVtRRooOyfPqsMpQhvfO0zAMzRbQYi/aytlryjvsvXDqmbOe1bu
t8jLZ8HJnBoYuMTDSQPxYA5QzUbF83d597YV4Djbxy8ooAw/dyZ02SUS2jHaGh7c
KUGRIjxpp7sC8rZcJwOJ9Abqm+RyguOhCcHpABnTPtRwa7pxpqpYrvS76Wy274fM
m7v/OeZWYdMKp8RcTGB7BXcmer/YB1IsYvdwY9k5vG8cwnncdimvzsUsZAReiDZu
MdRAGmI0Nj81Aa6sY6A=
-----END CERTIFICATE-----
%end

It is of course up to the user to make sure the certificate/kickstart file is obtained from a trusted source.

However, in some cases this workaround might not be optimal, ideally the installer could, for example, present a pop-up window asking whether or not to accept the certificate if the CA cert is not well-known (perhaps in the same spirit as Firefox does).
Comment 3 RHEL Program Management 2010-06-04 13:43:21 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 11 RHEL Program Management 2010-10-29 21:32:09 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux maintenance release. Product Management has 
requested further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed 
products. This request is not yet committed for inclusion in an Update release.
Comment 12 Ales Kozumplik 2010-12-06 15:53:35 UTC 
Fixed on rhel6-branch by
d40bfb8389074ad5983a8c082d17056d81b1e255,
5543b2c7babf343a82d586aa378008bea549d8ba,
b4fe453611886f28b8669b8f5cb2f4a0a0111400 and
e32f4a2a45bc74f5413c3b48f8de20cac1025fbf.

Will be fixed in anaconda-13.21.84-1.

See also bug 660340.
Comment 16 Ales Kozumplik 2011-02-21 08:25:42 UTC 
There has been three additional bugs opened describing problems with the feature opened: bug 678580, bug 678580 and bug 678574.

Moving this back to modified.
Comment 18 Alexander Todorov 2011-03-30 13:13:39 UTC 
This is more like a tracker bug. I will move it to VERIFIED and will track remaining issues in separate BZs.
Comment 19 errata-xmlrpc 2011-05-19 12:29:39 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0530.html