You appear to be running "java-1.7.0-openjdk-1.7.0.40" which introduced a lower limit on RSA key length, it will not validate any keys under below 1024. This can be disabled by commenting out jdk.certpath.disabledAlgorithms in path-to-jre/lib/security/java.security You could also just remove "RSA keySize < 1024" from that line.
Created attachment 810731 [details] clean SAM install no problem with candlepin
I did a fresh RHEL 6.4 install. Installed java 1.7.0 jdk, then install SAM. # yum install java-1.7.0-openjdk # yum install -y katello-headpin-all # katello-configure --deployment=sam --user-pass=admin Then I ran the following: # katello-service status tomcat6 (pid 31854) is running... [ OK ] httpd (pid 32246) is running... thumbslug (pid 32018) is running... elasticsearch (pid 31302) is running... katello (32199) is running. katello (32217) is running. delayed_job is not running. delayed_job_monitor is not running. # headpin -u admin -p admin ping ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Katello Status Status Service Result Duration Message ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- FAIL candlepin ok 83ms candlepin_auth ok 64ms elasticsearch ok 51ms katello_jobs FAIL katello-jobs service not running thumbslug ok 672ms ===== END ==== There was no SSL errors. And candlepin responds with no errors as well: # curl -k https://localhost:8443/candlepin/status/ {"result":true,"version":"0.8.26","rulesVersion":"4.2","release":"1","standalone":true,"timeUTC":"2013-10-10T20:08:13.221+0000","managerCapabilities":["cores","ram","instance_multiplier","derived_product","cert_v3"],"rulesSource":"DEFAULT"}
# rpm -qa | grep openjdk java-1.7.0-openjdk-1.7.0.25-2.3.10.4.el6_4.x86_64 java-1.6.0-openjdk-1.6.0.0-1.50.1.11.5.el6_3.x86_64 Both JDKs are installed as well.
2013-10-10 16:32:44 (12.1 MB/s) - “java-1.7.0-openjdk-1.7.0.40-2.4.2.1.el6.x86_64.rpm” saved [26921136/26921136] [root@dhcp137-135 ~]# rpm -Uvh java-1.7.0-openjdk-1.7.0.40-2.4.2.1.el6.x86_64.rpm Preparing... ########################################### [100%] 1:java-1.7.0-openjdk ########################################### [100%] [root@dhcp137-135 ~]# katello-service restart Shutting down Katello services... Stopping katello-jobs: [FAILED] Stopping katello: Stopping elasticsearch: [ OK ] Stopping thumbslug: [ OK ] Stopping httpd: [ OK ] Stopping tomcat6: [ OK ] Done. Starting Katello services... Starting tomcat6: [ OK ] Starting httpd: [ OK ] Starting thumbslug: Oct 10 15:33:50 [main] WARN org.candlepin.thumbslug.Main - Shutting down... [ OK ] Starting elasticsearch: [ OK ] Starting katello: [ OK ] Starting katello-jobs: [FAILED] Done. [root@dhcp137-135 ~]# headpin -u admin -p admin ping ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Katello Status Status Service Result Duration Message ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- FAIL candlepin ok 338ms candlepin_auth ok 36ms elasticsearch ok 62ms katello_jobs FAIL katello-jobs service not running thumbslug ok 279ms
Created attachment 812213 [details] production log showing error Both candlepin pings show an SSL error. This log include some debug printing I added.
whats out put of: ruby -r openssl -e 'puts OpenSSL::OPENSSL_VERSION' On client? Anything interesting show up with tomcat setup to start with "-Djavax.net.debug=ssl" ? ie, add it to JAVA_OPTS in /etc/tomcat6/tomcat6.conf How is ssl setup in /etc/tomcat6/server.xml? (the Connector config)
FYI: As a fix for this bug, we're installing java-1.6-0-openjdk as default for katello-all on rhel6 machines
And by this bug, I mean https://bugzilla.redhat.com/show_bug.cgi?id=995123 not meaning, that it resolves this issue
We need to have katello-installer check for java-1.7+ to ensure we don't get bit by 1010111.
*** Bug 1061721 has been marked as a duplicate of this bug. ***
WORKAROUND: rpm -e java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el6_5.x86_64 and ensure that you have: java-1.6.0-openjdk-1.6.0.0-1.66.1.13.0.el6.x86_64
Current install on Satellite 6.5 has both jdks installed, and the app is working. I am moving this to ON_QA.
Failed. Verification steps: 1. Subscribe/register the client to RHN 2. Remove all openjdk 3. yum install java-1.7.0-openjdk 4. Install Satellite6 Snap 8 Actual Results: Installation failed. -> foreman-debug attached -> hammer-ping failed # hammer ping Could not load API description from the server - is your server down? - was "foreman-rake apipie:cache" run on the server when using apipie cache? (typical production settings)) Warning: An error occured while loading module hammer_cli_katello ^CWarning: An error occured while loading module hammer_cli_foreman Error: No such sub-command 'ping' See: 'hammer --help' -> UI did not launch (screenshot attached) Version Tested: * apr-util-ldap-1.3.9-3.el6_0.1.x86_64 * candlepin-0.9.7-1.el6_5.noarch * candlepin-scl-1-5.el6_4.noarch * candlepin-scl-quartz-2.1.5-5.el6_4.noarch * candlepin-scl-rhino-1.7R3-1.el6_4.noarch * candlepin-scl-runtime-1-5.el6_4.noarch * candlepin-selinux-0.9.7-1.el6_5.noarch * candlepin-tomcat6-0.9.7-1.el6_5.noarch * elasticsearch-0.90.10-4.el6sat.noarch * foreman-1.6.0.14-1.el6sat.noarch * foreman-compute-1.6.0.14-1.el6sat.noarch * foreman-gce-1.6.0.14-1.el6sat.noarch * foreman-libvirt-1.6.0.14-1.el6sat.noarch * foreman-ovirt-1.6.0.14-1.el6sat.noarch * foreman-postgresql-1.6.0.14-1.el6sat.noarch * foreman-proxy-1.6.0.6-1.el6sat.noarch * foreman-selinux-1.6.0-4.el6sat.noarch * foreman-vmware-1.6.0.14-1.el6sat.noarch * katello-1.5.0-25.el6sat.noarch * katello-ca-1.0-1.noarch * katello-certs-tools-1.5.5-1.el6sat.noarch * katello-installer-0.0.45-1.el6sat.noarch * openldap-2.4.23-32.el6_4.1.x86_64 * openldap-devel-2.4.23-32.el6_4.1.x86_64 * pulp-katello-0.3-3.el6sat.noarch * pulp-nodes-common-2.4.0-0.18.beta.el6sat.noarch * pulp-nodes-parent-2.4.0-0.18.beta.el6sat.noarch * pulp-puppet-plugins-2.4.0-0.18.beta.el6sat.noarch * pulp-puppet-tools-2.4.0-0.18.beta.el6sat.noarch * pulp-rpm-plugins-2.4.0-0.18.beta.el6sat.noarch * pulp-selinux-2.4.0-0.18.beta.el6sat.noarch * pulp-server-2.4.0-0.18.beta.el6sat.noarch * python-ldap-2.3.10-1.el6.x86_64 * ruby193-rubygem-net-ldap-0.3.1-3.el6sat.noarch * ruby193-rubygem-runcible-1.1.0-2.el6sat.noarch
If this bug is not fixed before beta, this may need doc update.
Created redmine issue http://projects.theforeman.org/issues/6426 from this bug
Upstream bug assigned to None
The 6/9 attachments do not have any of the logs from the java bits in it. There's no tomcat logs or no candlepin logs.
I dont think this bug is relevant anymore. Satellite6 now requires java-1.7.0-openjdk by default. Proposing to close this bug.
Verified. Satellite6 now requires java-1.7.0-openjdk Version Tested: Satellite-6.0.4-RHEL-6-20140723.0 * apr-util-ldap-1.3.9-3.el6_0.1.x86_64 * candlepin-0.9.19-1.el6_5.noarch * candlepin-scl-1-5.el6_4.noarch * candlepin-scl-quartz-2.1.5-5.el6_4.noarch * candlepin-scl-rhino-1.7R3-1.el6_4.noarch * candlepin-scl-runtime-1-5.el6_4.noarch * candlepin-selinux-0.9.19-1.el6_5.noarch * candlepin-tomcat6-0.9.19-1.el6_5.noarch * elasticsearch-0.90.10-4.el6sat.noarch * foreman-1.6.0.29-1.el6sat.noarch * foreman-compute-1.6.0.29-1.el6sat.noarch * foreman-gce-1.6.0.29-1.el6sat.noarch * foreman-libvirt-1.6.0.29-1.el6sat.noarch * foreman-ovirt-1.6.0.29-1.el6sat.noarch * foreman-postgresql-1.6.0.29-1.el6sat.noarch * foreman-proxy-1.6.0.21-1.el6sat.noarch * foreman-selinux-1.6.0-8.el6sat.noarch * foreman-vmware-1.6.0.29-1.el6sat.noarch * katello-1.5.0-27.el6sat.noarch * katello-ca-1.0-1.noarch * katello-certs-tools-1.5.6-1.el6sat.noarch * katello-installer-0.0.56-1.el6sat.noarch * openldap-2.4.23-32.el6_4.1.x86_64 * pulp-katello-0.3-3.el6sat.noarch * pulp-nodes-common-2.4.0-0.23.beta.el6sat.noarch * pulp-nodes-parent-2.4.0-0.23.beta.el6sat.noarch * pulp-puppet-plugins-2.4.0-0.23.beta.el6sat.noarch * pulp-puppet-tools-2.4.0-0.23.beta.el6sat.noarch * pulp-rpm-plugins-2.4.0-0.23.beta.el6sat.noarch * pulp-selinux-2.4.0-0.23.beta.el6sat.noarch * pulp-server-2.4.0-0.23.beta.el6sat.noarch * python-ldap-2.3.10-1.el6.x86_64 * ruby193-rubygem-net-ldap-0.3.1-3.el6sat.noarch * ruby193-rubygem-runcible-1.1.0-2.el6sat.noarch
*** Bug 1124441 has been marked as a duplicate of this bug. ***
This was delivered with Satellite 6.0 which was released on 10 September 2014.