Bug 821949
Summary: | installation fails if kickstart is served over https:// with an unrecognised CA certificate | ||
---|---|---|---|
Product: | [Retired] Beaker | Reporter: | Bill Peck <bpeck> |
Component: | scheduler | Assignee: | Dan Callaghan <dcallagh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 0.9 | CC: | bpeck, dcallagh, rmancy, stl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-06-26 06:40:06 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Bill Peck
2012-05-15 20:43:10 UTC
The problem here is not with SSL itself, but rather because our Beaker server is using an SSL certificate signed by the internal CA which is not included in Anaconda's CA bundle. As a workaround we can add 'noverifyssl' to kernel options. That will make Anaconda skip certificate checks. The proper solution would be to add our CA certificate to Anaconda's bundle somehow. I can't find any documented way of doing this, but I imagine we could add an updates image that includes the extra certificate in the right places. This doesn't seem worth the effort though. I'm thinking the best solution would be to add "global" install options to the config file, which are applied first (before distro tree, system, recipe). They would default to blank, but anyone who is using a custom SSL CA (like us) could put 'noverifyssl' in the kernel options. On Gerrit: http://gerrit.beaker-project.org/1075 noverifyssl will not work with all versions of anaconda since it was added recently. My suggestion is we come up with a mod_rewrite rule that can be put in beaker-server.conf (In reply to comment #4) > noverifyssl will not work with all versions of anaconda since it was added > recently. > > > My suggestion is we come up with a mod_rewrite rule that can be put in > beaker-server.conf of course thats impossible. whatever the rewrite rule says, anaconda would still first have to make a connection to 443. :-) We need to serve the url without https to begin with like we do for the harness repo. Second try: http://gerrit.beaker-project.org/1079 Beaker 0.9.0 has been released. |