Bug 1058016 - ssl2jkstrust.py does not get root ca from chain in some cases
Summary: ssl2jkstrust.py does not get root ca from chain in some cases
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-reports
Version: 3.3.0
Hardware: x86_64
OS: Linux
medium
high
Target Milestone: ---
: 3.4.0
Assignee: Alon Bar-Lev
QA Contact: Barak Dagan
URL:
Whiteboard: integration
Depends On:
Blocks: 1064827 rhev3.4beta 1142926
TreeView+ depends on / blocked
 
Reported: 2014-01-26 13:24 UTC by Pablo Iranzo Gómez
Modified: 2019-04-28 09:19 UTC (History)
13 users (show)

Fixed In Version: ovirt-3.4.0-beta3
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1064827 (view as bug list)
Environment:
Last Closed: 2014-06-09 15:27:03 UTC
oVirt Team: ---
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 730823 None None None Never
Red Hat Product Errata RHEA-2014:0602 normal SHIPPED_LIVE rhevm-reports 3.4 bug fix and enhancement update 2014-06-09 19:26:10 UTC
oVirt gerrit 23734 None None None Never
oVirt gerrit 23735 None None None Never

Description Pablo Iranzo Gómez 2014-01-26 13:24:11 UTC
Description of problem:
Hi
After upgrading RHEV environment to 3.3, I was unable to properly start apache (server was upgraded from 3.0 -> 3.1 -> 3.2 -> 3.3 during all its life).

Once apache was working and RHEV-M too, I got one ETL error, so I proceeded to reinstall DWH and Reports, but reports was not installing:

Customizing Server...                                 [ DONE ]
Return Code is not zero
Error encountered while installing rhevm-reports, please consult the log file: /var/log/ovirt-engine/ovirt-engine-reports-setup-2014_01_26_12_31_48.log



The relevant part from that log was:


2014-01-26 12:36:34::DEBUG::common_utils::1018::root:: Executing command --> '/usr/share/ovirt-engine-reports/ssl2jkstrust.py --host=myserver.com --port=443 --keystore=/etc/ovirt-engine/ovirt-engine-reports/trust.jks --storepass=mypass' in working directory '/root'
2014-01-26 12:36:35::DEBUG::common_utils::1073::root:: output = 
2014-01-26 12:36:35::DEBUG::common_utils::1074::root:: stderr = Traceback (most recent call last):
  File "/usr/share/ovirt-engine-reports/ssl2jkstrust.py", line 116, in <module>
    main()
  File "/usr/share/ovirt-engine-reports/ssl2jkstrust.py", line 114, in main
    os.rename(tmp, options.keystore)
OSError: [Errno 2] No such file or directory


So we have two issues:

1- os.rename should check that the file was created before trying to remove it
2- the file wasn't created by ssl2jkstrust.py because it uses:

"for c in getChainFromSSL((options.host, int(options.port)))[1:]:"

Which fails when certificate is provided in return place '0' instead of '1'.

Changing that line to read "0:" instead of "1:" allowed installation to continue without any detectable issue


Version-Release number of selected component (if applicable):
rhevm-reports-3.3.0-28.el6ev.noarch

How reproducible:


Steps to Reproduce:
1. Ensure that certificate provides 'CERTIFICATE' in argument 0, probably because of missing chain
2. Run rhevm-reports-setup
3.

Actual results:

Setup fails because of the "No such file or directory messages"

Expected results:

Setup should have succeeded.

Additional info:

Patching the call to just try to gather certificate from all/any return arguments instead of "1" should have not raised this issue.

As the whole environment is working fine, we could raise instead a warning during setup/upgrade phase.

Comment 2 Alon Bar-Lev 2014-01-26 17:16:18 UTC
Can you please attach /etc/httpd/conf.d/ssl.conf?

Can you please attach the output of:

$ openssl s_client -showcerts -connect localhost:443 < /dev/null

Thanks!

Comment 5 Pablo Iranzo Gómez 2014-01-26 21:18:33 UTC
Alon,
Let me know if any additional file is needed.

Regards,
Pablo

Comment 6 Alon Bar-Lev 2014-01-26 21:43:09 UTC
Thanks!

Can you please try to remove SSLCertificateChainFile?

I have a solution also in this state, just want to confirm.

Comment 7 Pablo Iranzo Gómez 2014-01-27 08:04:23 UTC
Alon,
Removing the SSLCertificateChain from ssl.conf and restarting apache, and using the original ssl2jkstrust.py gives no complain, but also it's not creating the file.

Regards,
Pablo

Comment 8 Yaniv Lavi 2014-01-27 13:01:23 UTC
Do we want z stream on this?


Yaniv

Comment 11 Barak Dagan 2014-02-24 16:00:59 UTC
Is this bug should be verified on upstream, or downstream ?
It is under rhev product, in which it is not implemented yet (av1), therefore not on qa. 
But targeted to ovirt-3.4.0-beta3, which has a different location in products tree.

Please solve it out.

Comment 12 Sandro Bonazzola 2014-02-27 15:03:08 UTC
(In reply to Barak Dagan from comment #11)
> Is this bug should be verified on upstream, or downstream ?
> It is under rhev product, in which it is not implemented yet (av1),
> therefore not on qa. 

ovirt-3.4.0-beta3 has been delivered to QA for testing and referenced patches points to upstream gerrit.
So this BZ should be ON_QA unless it's missing references to downstream gerrit

> But targeted to ovirt-3.4.0-beta3, which has a different location in
> products tree.
> 
> Please solve it out.

Comment 13 Barak Dagan 2014-03-12 13:08:43 UTC
alonbl: 3.4 does not use this method to acquire ceritificate, it is 3.3 only bug.
you must have 3.4 bug to clone it into 3.3.

Comment 14 errata-xmlrpc 2014-06-09 15:27:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2014-0602.html


Note You need to log in before you can comment on or make changes to this bug.