Long term fix for: https://bugzilla.redhat.com/show_bug.cgi?id=1007662 When RHUA generates certs, it should use a configurable item to control when a cert would expire.
Fixing version assignment
RHUI-3 uses a different installer that allows you to specify certificate expiration in days
On 20161115 iso, 1) if the cert expires, the user will see: RHUI Username: admin RHUI Password: Server certificate is not signed by a trusted authority. Is it too generic maybe? What about adding smth like: "or has expired" 2) --certs-ca-expiration is checked to be an integer. However it shouldn't be a negative or zero integer. rhui-installer --certs-ca-expiration=string Parameter certs-ca-expiration invalid Error during configuration, exiting Please check the settings in /etc/rhui-installer/answers.yaml [root@ns01 ~]# rhui-installer --certs-ca-expiration=1.05 Parameter certs-ca-expiration invalid Error during configuration, exiting Please check the settings in /etc/rhui-installer/answers.yaml [root@ns01 ~]# rhui-installer --certs-ca-expiration='' Parameter certs-ca-expiration invalid Error during configuration, exiting Please check the settings in /etc/rhui-installer/answers.yaml [root@ns01 ~]# rhui-installer --certs-ca-expiration=0 Preparing installation Debug: Automatically imported concat from concat i^C/usr/share/gems/gems/kafo-0.7.3/lib/kafo/kafo_configure.rb:390:in `each': Interrupt from /usr/share/gems/gems/kafo-0.7.3/lib/kafo/kafo_configure.rb:390:in `block in run_installation' from /usr/share/gems/gems/kafo-0.7.3/lib/kafo/kafo_configure.rb:388:in `spawn' from /usr/share/gems/gems/kafo-0.7.3/lib/kafo/kafo_configure.rb:388:in `run_installation' from /usr/share/gems/gems/kafo-0.7.3/lib/kafo/kafo_configure.rb:149:in `execute' from /usr/share/gems/gems/clamp-0.6.2/lib/clamp/command.rb:67:in `run' from /usr/share/gems/gems/clamp-0.6.2/lib/clamp/command.rb:125:in `run' from /usr/share/gems/gems/kafo-0.7.3/lib/kafo/kafo_configure.rb:156:in `run' from /sbin/rhui-installer:5:in `<main>' [root@ns01 ~]# rhui-installer --certs-ca-expiration=-100 Preparing installation Done Something went wrong! Check the log for ERROR-level output The full log is at /var/log/kafo/configuration.log Please check the settings in /etc/rhui-installer/answers.yaml [root@ns01 ~]# rhui-installer --certs-ca-expiration=100 Preparing installation Debug: importing '/usr/share/rhui-installer/module^C/usr/share/gems/gems/kafo-0.7.3/lib/kafo/kafo_configure.rb:390:in `each': Interrupt from /usr/share/gems/gems/kafo-0.7.3/lib/kafo/kafo_configure.rb:390:in `block in run_installation' from /usr/share/gems/gems/kafo-0.7.3/lib/kafo/kafo_configure.rb:388:in `spawn' from /usr/share/gems/gems/kafo-0.7.3/lib/kafo/kafo_configure.rb:388:in `run_installation' from /usr/share/gems/gems/kafo-0.7.3/lib/kafo/kafo_configure.rb:149:in `execute' from /usr/share/gems/gems/clamp-0.6.2/lib/clamp/command.rb:67:in `run' from /usr/share/gems/gems/clamp-0.6.2/lib/clamp/command.rb:125:in `run' from /usr/share/gems/gems/kafo-0.7.3/lib/kafo/kafo_configure.rb:156:in `run' from /sbin/rhui-installer:5:in `<main>'
With certs-ca-expiration <= 0, I get: # rhui-installer --certs-ca-expiration=-100 validate_integer(): Expected -100 to be greater or equal to 1, got -100. at /usr/share/rhui-installer/modules/rhua/manifests/init.pp:139 on node rhua.example.com validate_integer(): Expected -100 to be greater or equal to 1, got -100. at /usr/share/rhui-installer/modules/rhua/manifests/init.pp:139 on node rhua.example.com Preparing installation Done Something went wrong! Check the log for ERROR-level output The full log is at /var/log/kafo/configuration.log Please check the settings in /etc/rhui-installer/answers.yaml That's better, although one could argue that it's a very technical error message. As for expired cert, I didn't try using one, but I still see: /usr/lib/python2.7/site-packages/rhui/tools/launcher.py:142: prompt.write(prompt.color(_('Server certificate is not signed by a trusted authority.'), (So, no "or has expired".) Leaving in ON_QA.
Given the proximity to releasing GA at this point, the plan is to move the "or has expired" portion to it's own bug, and QA the rest against the GA build.
(In reply to Irina Gulina from comment #9) > On 20161115 iso, > > 1) if the cert expires, the user will see: > > RHUI Username: admin > RHUI Password: > Server certificate is not signed by a trusted authority. > > Is it too generic maybe? What about adding smth like: "or has expired" Filed bug 1415097 to track this post GA. > 2) --certs-ca-expiration is checked to be an integer. However it shouldn't > be a negative or zero integer. This is (still) handled correctly in build 20170118: With 0: validate_integer(): Expected 0 to be greater or equal to 1, got 0. at /usr/share/rhui-installer/modules/rhua/manifests/init.pp:139 on node rhua.example.com With a negative integer: validate_integer(): Expected -100 to be greater or equal to 1, got -100. at /usr/share/rhui-installer/modules/rhua/manifests/init.pp:139 on node rhua.example.com With a non-integer parameter: Parameter certs-ca-expiration invalid
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0367