Bug 821949

Summary: installation fails if kickstart is served over https:// with an unrecognised CA certificate
Product: [Retired] Beaker Reporter: Bill Peck <bpeck>
Component: schedulerAssignee: Dan Callaghan <dcallagh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 0.9CC: bpeck, dcallagh, rmancy, stl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-26 06:40:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bill Peck 2012-05-15 20:43:10 UTC 
Description of problem:
Since native provisioning serves the kickstarts from the scheduler and our scheduler is configured to do https, anaconda fails to install.

Version-Release number of selected component (if applicable):
0.8.99


In an effort to serve everything to the test machines through the lab controller, would it be possible to proxy this from the lab controller?  Or should we leave that alone for now and simply strip ks=https:// to ks=http:// ?
Comment 1 Dan Callaghan 2012-05-21 01:21:14 UTC 
The problem here is not with SSL itself, but rather because our Beaker server is using an SSL certificate signed by the internal CA which is not included in Anaconda's CA bundle.

As a workaround we can add 'noverifyssl' to kernel options. That will make Anaconda skip certificate checks.

The proper solution would be to add our CA certificate to Anaconda's bundle somehow. I can't find any documented way of doing this, but I imagine we could add an updates image that includes the extra certificate in the right places. This doesn't seem worth the effort though.
Comment 2 Dan Callaghan 2012-05-21 02:38:29 UTC 
I'm thinking the best solution would be to add "global" install options to the config file, which are applied first (before distro tree, system, recipe). They would default to blank, but anyone who is using a custom SSL CA (like us) could put 'noverifyssl' in the kernel options.
Comment 3 Dan Callaghan 2012-05-21 03:36:10 UTC 
On Gerrit: http://gerrit.beaker-project.org/1075
Comment 4 Bill Peck 2012-05-21 18:07:57 UTC 
noverifyssl will not work with all versions of anaconda since it was added recently.


My suggestion is we come up with a mod_rewrite rule that can be put in beaker-server.conf
Comment 5 Bill Peck 2012-05-21 18:56:36 UTC 
(In reply to comment #4)
> noverifyssl will not work with all versions of anaconda since it was added
> recently.
> 
> 
> My suggestion is we come up with a mod_rewrite rule that can be put in
> beaker-server.conf

of course thats impossible.  whatever the rewrite rule says, anaconda would still first have to make a connection to 443. :-)

We need to serve the url without https to begin with like we do for the harness repo.
Comment 6 Dan Callaghan 2012-05-22 05:36:04 UTC 
Second try: http://gerrit.beaker-project.org/1079
Comment 8 Dan Callaghan 2012-06-26 06:40:06 UTC 
Beaker 0.9.0 has been released.