Bug 760280

# rpm -qa |grep katello | sort
katello-0.1.123-1.el6.x86_64
katello-all-0.1.123-1.el6.x86_64
katello-certs-tools-1.0.1-1.el6.noarch
katello-cli-0.1.20-1.el6.noarch
katello-cli-common-0.1.20-1.el6.noarch
katello-common-0.1.123-1.el6.noarch
katello-configure-0.1.24-1.el6.noarch
katello-glue-candlepin-0.1.123-1.el6.x86_64
katello-glue-foreman-0.1.123-1.el6.x86_64
katello-glue-pulp-0.1.123-1.el6.x86_64
katello-httpd-ssl-key-pair-1.0-1.noarch
katello-qpid-broker-key-pair-1.0-1.noarch
katello-repos-0.1.4-1.el6.noarch
katello-trusted-ssl-cert-1.0-1.noarch

Tomas, 
Lukas, 

Looks like SSL commit has at least one bug - can we investigate and resolve within the next 2 days. Hopefully it is a quick / easy fix. 

Cliff

quick workaround:

katello-configure --skip-ssl-ca-generation=True

My test install completed without error. 

[root@dhcp77-206 ~]# katello-configure --help
Usage: /usr/sbin/katello-configure [options]
        --answer-file=ANSWER_FILE    Path of the answer file
        --user-name=USER_NAME        Katello administrative user (default: admin)
        --user-pass=USER_PASS        Katello user's password (default: admin)
        --user-email=USER_EMAIL      Katello user's email (default: root@localhost)
        --org-name=ORG_NAME          Katello initial Organization (default: ACME_Corporation)
        --proxy-url=PROXY_URL        HTTP Proxy URL (example: http://172.31.1.1)
        --proxy-port=PROXY_PORT      HTTP Proxy port (default: 3128)
        --proxy-user=PROXY_USER      HTTP Proxy user (proxy username, if auth is required)
        --proxy-pass=PROXY_PASS      HTTP Proxy pass (proxy password, if auth is required)
        --db-name=DB_NAME            Katello database name
        --db-user=DB_USER            Katello database user
        --db-password=DB_PASSWORD    Katello database password
        --deployment=DEPLOYMENT      Deployment Type
        --non-interactive=NON_INTERACTIVE
                                     Non-interactive installer mode
        --skip-ssl-ca-generation=SKIP_SSL_CA_GENERATION
                                     skip SSL CA generation
        --ssl-ca-password=SSL_CA_PASSWORD
                                     SSL CA password
        --ssl-ca-country=SSL_CA_COUNTRY
                                     SSL CA country
        --ssl-ca-state=SSL_CA_STATE  SSL CA state
        --ssl-ca-city=SSL_CA_CITY    SSL CA city
        --ssl-ca-org=SSL_CA_ORG      SSL CA organization
        --ssl-ca-org-unit=SSL_CA_ORG_UNIT
                                     SSL CA organization unit
        --ssl-ca-cn=SSL_CA_CN        SSL CA common name
        --ssl-ca-email=SSL_CA_EMAIL  SSL CA e-mail address
        --ssl-cert-expiration=SSL_CERT_EXPIRATION
                                     SSL certificate expiration (in days)
        --ssl-ca-password-file=SSL_CA_PASSWORD_FILE
                                     SSL CA password file path
        --keystore-password-file=KEYSTORE_PASSWORD_FILE
                                     Keystore password file path
        --nss-db-password-file=NSS_DB_PASSWORD_FILE
                                     NSS DB password file path
        --only-show-config           Print the resulting configuration and exit
    -h, --help                       Show this short summary


[root@dhcp77-206 ~]# hostname 
dhcp77-206.rhndev.redhat.com
[root@dhcp77-206 ~]# katello-configure 
Starting Katello configuration
The top-level log file is [/var/log/katello/katello-configure-20111205-152404/main.log]
[root@dhcp77-206 ~]# echo $?
0
[root@dhcp77-206 ~]# rpm -q katello-configure
katello-configure-0.1.24-1.el6.noarch
[root@dhcp77-206 ~]#

Potentially - this is an ordering issue and we need to be more strict with requires/dep to force puppet order. Mike, can we have the install log to review. I can compare my good install puppet ordering to your bad install puppet ordering.

Cliff

Created attachment 541082 [details]
install log for failed attempt

Attaching the logfile from the install run as posted in the first summary

Hey Mike,

katello-configure (within katello-configure-0.1.24-1.el6.noarch) finished also without any issues on my newly installed 64-bit RHEL6.1. I do the installation strictly according to https://fedorahosted.org/katello/wiki/Install

How did you do your installation? Can you reproduce it on another machine?

According to the #Description, CA private key (/root/ssl-build/KATELLO-PRIVATE-SSL-KEY) cannot be read. But according to the posted main.log, that private key will be used also earlier.

Could you check /root/ssl-build/KATELLO-PRIVATE-SSL-KEY - whether you can access the file, its permissions, selinux context, if the content look meaningful, sm. like:

-----BEGIN RSA PRIVATE KEY-----
<base64 encoded key>
-----END RSA PRIVATE KEY-----

?

The dependencies look good to me:
generate-ssl-keystore depends on generate-keystore-password, that on deploy-ssl-ca-certificate, that on generate-ssl-ca-certificate - and that generates apart from the other stuff - the CA private key.

What version of openssl do you have installed?
On my machine: openssl-1.0.0-10.el6.x86_64

I face the same issue even with freshly installed f15 machines.

[root@scalpel dev]# katello-configure 
Starting Katello configuration
The top-level log file is [/var/log/katello/katello-configure-20111206-102153/main.log]
err: /Stage[main]/Certs::Config/Exec[generate-ssl-keystore]/returns: change from notrun to 0 failed: openssl pkcs12 -export -in /usr/share/katello/KATELLO-TRUSTED-SSL-CERT -inkey /root/ssl-build/KATELLO-PRIVATE-SSL-KEY -out /etc/pki/katello/keystore -name tomcat -CAfile /usr/share/katello/KATELLO-TRUSTED-SSL-CERT -caname root -chain -passin "file:/etc/katello/ssl_ca_password-file" -password "file:/etc/katello/keystore_password-file" returned 1 instead of one of [0] at /usr/share/katello/install/puppet/modules/certs/manifests/config.pp:102

[root@scalpel dev]# vi /var/log/katello/katello-configure-20111206-102153/main.log

[root@scalpel dev]# rpm -q katello-configure
katello-configure-0.1.24-1.fc15.noarch

[root@scalpel dev]# rpm -qav | grep -i openssl 
openssl-1.0.0d-1.fc15.x86_64

[root@scalpel dev]# rpm -qav | grep -i katello
katello-cli-0.1.21-1.fc15.noarch
katello-certs-tools-1.0.1-1.fc15.noarch
katello-glue-pulp-0.1.124-1.fc15.x86_64
katello-httpd-ssl-key-pair-1.0-1.noarch
katello-cli-common-0.1.21-1.fc15.noarch
katello-repos-0.1.4-1.fc16.noarch
katello-trusted-ssl-cert-1.0-1.noarch
katello-qpid-broker-key-pair-1.0-1.noarch
katello-configure-0.1.24-1.fc15.noarch
katello-glue-candlepin-0.1.124-1.fc15.x86_64
katello-glue-foreman-0.1.124-1.fc15.x86_64
katello-common-0.1.124-1.fc15.noarch
katello-0.1.124-1.fc15.x86_64
katello-all-0.1.124-1.fc15.x86_64


[root@scalpel ~]# cat /etc/fedora-release 
Fedora release 15 (Lovelock)
[root@scalpel ~]# ll /root/ssl-build/KATELLO-PRIVATE-SSL-KEY
ls: cannot access /root/ssl-build/KATELLO-PRIVATE-SSL-KEY: No such file or directory

I dont think its a ordering issue, since in my case (beaker, F15) I also have the same result as Mike, but from the log I can see the task that should generate that missing file (KATELLO-PRIVATE-SSL-KEY) successfuly executed:

rhn-ssl-tool --gen-ca -p "$(cat /etc/katello/ssl_ca_password-file)" --set-country 'US' --set-state 'North Carolina' --set-city 'Raleigh' --set-org 'Red Hat' --set-org-unit 'Cloud BU' --set-common-name 'Katello machine' --set-email 'root@localhost' --ca-key 'KATELLO-PRIVATE-SSL-KEY' --ca-cert 'KATELLO-TRUSTED-SSL-CERT' --ca-cert-rpm katello-trusted-ssl-cert

I noticed from it's output it is creating all files in the CURRENT directory, so a simple find showed:

# find / -name KATELLO-PRIVATE-SSL-KEY
/mnt/tests/Kalpana/Installation/PuppetSystemTest/ssl-build/KATELLO-PRIVATE-SSL-KEY

My wild guess is it got executed in a different directory for Beaker. I guess we should direct the tool to save everything in the /root/ssl-build folder rather than current pwd.

I change current working dir to /root and check if we are running as root before starting configuration. This won't hurt us for sure.

647dc20 760280 - katello-configure fails with ssl key creation error

Not goot, jlaska just run into the issue again:

http://fpaste.org/d3q3/ 

But it seems this time is hostname issue:

jlaska: the problem seems to be that ssl-build/katello.rdu.redhat.com/ doesn't exist ... but ssl-build/katello/ does

I will fix this one immediately fyi:

https://bugzilla.redhat.com/show_bug.cgi?id=760265

Ok it seems that problem James reported is a different one. And it has been also fixed.

[root@yyyy ~]# katello-configure 
Starting Katello configuration
The top-level log file is [/var/log/katello/katello-configure-20111207-091236/main.log]
[root@yyyyy ~]# ls
anaconda-ks.cfg  install.log  install.log.syslog  ssl-build
[root@yyyy ~]# cd ssl-build/
[root@yyyy ssl-build]# ls 
index.txt
index.txt.attr
index.txt.attr.old
KATELLO-PRIVATE-SSL-KEY
KATELLO-TRUSTED-SSL-CERT
katello-trusted-ssl-cert-1.0-1.noarch.rpm
katello-trusted-ssl-cert-1.0-1.src.rpm
latest.txt
rhn-ca-openssl.cnf
rhn-ca-openssl.cnf.1
yyyy.redhat.com
serial

This issue is no longer faced.

[root@yyyy ssl-build]# rpm -qav | grep -i katello 
katello-cli-0.1.22-1.fc15.noarch
katello-glue-candlepin-0.1.128-1.fc15.x86_64
katello-qpid-broker-key-pair-1.0-1.noarch
katello-cli-common-0.1.22-1.fc15.noarch
katello-certs-tools-1.0.1-1.fc15.noarch
katello-repos-0.1.4-1.fc16.noarch
katello-httpd-ssl-key-pair-1.0-1.noarch
katello-trusted-ssl-cert-1.0-1.noarch
katello-configure-0.1.26-1.fc15.noarch
katello-glue-pulp-0.1.128-1.fc15.x86_64
katello-glue-foreman-0.1.128-1.fc15.x86_64
katello-common-0.1.128-1.fc15.noarch
katello-0.1.128-1.fc15.x86_64
katello-all-0.1.128-1.fc15.x86_64