Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1218251 - The installer should check that the cert rpms installed on the system are corresponding to those present in ~/ssl-build (or in the capsule certs tar.gz)
Summary: The installer should check that the cert rpms installed on the system are cor...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Installation
Version: 6.1.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: Unspecified
Assignee: Ivan Necas
QA Contact: Martin Bacovsky
URL:
Whiteboard:
: 1291065 (view as bug list)
Depends On:
Blocks: 1171841 1356955
TreeView+ depends on / blocked
 
Reported: 2015-05-04 12:16 UTC by Ivan Necas
Modified: 2019-11-14 06:42 UTC (History)
9 users (show)

Fixed In Version: katello-installer-base-3.0.0.51-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-27 11:24:24 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 15538 0 High Closed The installer should check that the cert rpms installed on the system are corresponding to those present in ~/ssl-build ... 2020-10-27 13:28:16 UTC
Red Hat Bugzilla 1171841 0 high CLOSED ProxyAPI::ProxyException: ERF12-2749 [ProxyAPI::ProxyException] 2021-02-22 00:41:40 UTC
Red Hat Knowledge Base (Solution) 1311844 0 None None None 2016-06-01 21:09:06 UTC

Internal Links: 1171841

Description Ivan Necas 2015-05-04 12:16:41 UTC 
Description of problem:

The katello-installer and capsule-certs-generate are using rpms to distribute the generated certificates. Newly-regenerated rpms with new certificates have increased version number, so that they should updated the previous certificates in the system.

However, in some cases (especially when experimenting with different katello-installer certs options and trying to re-install the katello), the rpms with the newly generated certificates installed on the system don't update already installed rpms on the system from previous attempts.

How reproducible:
always

Steps to Reproduce:
1. katello-installer
2. remove ~/ssl-build directory on the server
3. katello-installer --reset
4. capsule-certs-generate capsule-certs-generate --capsule-fqdn capsule.example.com --certs-tar ~/capsule.example.com.tar.gz 
5. on the capsule: capsule-installer (using the options suggested in the capsule-certs-generate output)

Actual results:

The capsule-installer fails on

ProxyAPI::ProxyException: ERF12-2749 [ProxyAPI::ProxyException]: Unable to get environments from Puppet ([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verif...) for proxy https://capsule.example.com:9090/puppet

Expected results:

The katello-installer, capsule-certs-generate and capsule-installer check that the cert rpms installed on the system correspond with the rpms that are intended to be used.

Additional info:

The workaround for the issue is to remote the cert rpms manually before the installer call:

   for i in $(ls /etc/pki/katello-certs-tool/certs/*); 
   do
     rpm -e $(rpm -qf $i)
   done

The run of the installer should make the installer work again.

There is a kcs article about this workaround https://access.redhat.com/solutions/1311844 with a small suggested update here https://bugzilla.redhat.com/show_bug.cgi?id=1171841#c18
Comment 5 Ivan Necas 2016-06-28 16:16:23 UTC 
Created redmine issue http://projects.theforeman.org/issues/15538 from this bug
Comment 6 Ivan Necas 2016-06-28 16:37:22 UTC 
Proposed fix at https://github.com/Katello/puppet-certs/pull/91
Comment 7 Ivan Necas 2016-06-28 16:38:49 UTC 
Steps I've tested the change against:

1 install katello
2 check the certificiate of web UI
3 cp ~/ssl-build{,.1}
4 foreman-installer --certs-update-all
5 check the certificiate of web UI
6 cp ~/ssl-build{,.2}
7 rm -rf ~/ssl-build
8 cp ~/ssl-build{.1,}
9 foreman-installer
10 the certificate of the web UI should change back to the one from step 2
11 foreman-installer --certs-update-all
12 the certificate of the web UI should be different than the one from step 2 or 5
Comment 8 Bryan Kearney 2016-07-06 12:34:38 UTC 
Upstream is merged, moving this to POST.
Comment 11 Ivan Necas 2016-07-15 11:20:03 UTC 
While testing this by removing the /root/ssl-build, I've hit another related issue that I track here https://bugzilla.redhat.com/show_bug.cgi?id=1356955.
Since it's just one of the cases that this BZ addresses, and in most cases, only the server-ca related certs are changed, not the default-ca itself, I suggest verifying this BZ based on the scenario described in https://bugzilla.redhat.com/show_bug.cgi?id=1218251#c7 and the second issue in the separate bug.
Comment 12 Ivan Necas 2016-07-15 12:08:24 UTC 
*** Bug 1291065 has been marked as a duplicate of this bug. ***
Comment 13 Martin Bacovsky 2016-07-15 15:03:17 UTC 
I tested the scenario from c#7 with ssl-build rollback and it worked fine. The original reproducer for this bug was blocked by two other bugs and needed workarounds from [1] and [2] to finish successfully.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1356955
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1357046


---- ssl-build rollback scenario
[root@sat-snap-rhel7 ~]# satellite-installer --reset
Installing             Done                                               [100%] [...............................................................................................................................]
  Success!
  * Satellite is running at https://sat-snap-rhel7.example.com
  * To install additional capsule on separate machine continue by running:

      capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar "~/$CAPSULE-certs.tar"

  The full log is at /var/log/foreman-installer/satellite.log

[root@sat-snap-rhel7 ~]# cp -r ~/ssl-build{,.100}

[root@sat-snap-rhel7 ~]# satellite-installer --certs-update-all
Marking certificate /root/ssl-build/sat-snap-rhel7.example.com/sat-snap-rhel7.example.com-qpid-router-server for update
Marking certificate /root/ssl-build/sat-snap-rhel7.example.com/sat-snap-rhel7.example.com-qpid-router-client for update
Marking certificate /root/ssl-build/sat-snap-rhel7.example.com/pulp-client for update
Marking certificate /root/ssl-build/sat-snap-rhel7.example.com/sat-snap-rhel7.example.com-foreman-client for update
Marking certificate /root/ssl-build/sat-snap-rhel7.example.com/sat-snap-rhel7.example.com-puppet-client for update
Marking certificate /root/ssl-build/sat-snap-rhel7.example.com/sat-snap-rhel7.example.com-apache for update
Marking certificate /root/ssl-build/sat-snap-rhel7.example.com/java-client for update
Marking certificate /root/ssl-build/sat-snap-rhel7.example.com/sat-snap-rhel7.example.com-foreman-proxy-client for update
Marking certificate /root/ssl-build/sat-snap-rhel7.example.com/sat-snap-rhel7.example.com-foreman-proxy for update
Marking certificate /root/ssl-build/sat-snap-rhel7.example.com/sat-snap-rhel7.example.com-qpid-broker for update
Marking certificate /root/ssl-build/sat-snap-rhel7.example.com/sat-snap-rhel7.example.com-qpid-client-cert for update
Installing             Done                                               [100%] [...............................................................................................................................]
  Success!
  * Satellite is running at https://sat-snap-rhel7.example.com
  * To install additional capsule on separate machine continue by running:

      capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar "~/$CAPSULE-certs.tar"

  The full log is at /var/log/foreman-installer/satellite.log

[root@sat-snap-rhel7 ~]# mv ~/ssl-build{,.101}
[root@sat-snap-rhel7 ~]# cp -r ~/ssl-build{.100,}

[root@sat-snap-rhel7 ~]# satellite-installer
Installing             Done                                               [100%] [...............................................................................................................................]
  Success!
  * Satellite is running at https://sat-snap-rhel7.example.com
  * To install additional capsule on separate machine continue by running:

      capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar "~/$CAPSULE-certs.tar"

  The full log is at /var/log/foreman-installer/satellite.log

[root@sat-snap-rhel7 ~]# satellite-installer --certs-update-all
Marking certificate /root/ssl-build/sat-snap-rhel7.example.com/sat-snap-rhel7.example.com-qpid-router-server for update
Marking certificate /root/ssl-build/sat-snap-rhel7.example.com/sat-snap-rhel7.example.com-qpid-router-client for update
Marking certificate /root/ssl-build/sat-snap-rhel7.example.com/pulp-client for update
Marking certificate /root/ssl-build/sat-snap-rhel7.example.com/sat-snap-rhel7.example.com-foreman-client for update
Marking certificate /root/ssl-build/sat-snap-rhel7.example.com/sat-snap-rhel7.example.com-puppet-client for update
Marking certificate /root/ssl-build/sat-snap-rhel7.example.com/sat-snap-rhel7.example.com-apache for update
Marking certificate /root/ssl-build/sat-snap-rhel7.example.com/java-client for update
Marking certificate /root/ssl-build/sat-snap-rhel7.example.com/sat-snap-rhel7.example.com-foreman-proxy-client for update
Marking certificate /root/ssl-build/sat-snap-rhel7.example.com/sat-snap-rhel7.example.com-foreman-proxy for update
Marking certificate /root/ssl-build/sat-snap-rhel7.example.com/sat-snap-rhel7.example.com-qpid-broker for update
Marking certificate /root/ssl-build/sat-snap-rhel7.example.com/sat-snap-rhel7.example.com-qpid-client-cert for update
Installing             Done                                               [100%] [...............................................................................................................................]
  Success!
  * Satellite is running at https://sat-snap-rhel7.example.com
  * To install additional capsule on separate machine continue by running:

      capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar "~/$CAPSULE-certs.tar"

  The full log is at /var/log/foreman-installer/satellite.log
------



----- original reproducer test log
[root@sat-snap-rhel7 ~]# mv ssl-build{,.1}
[root@sat-snap-rhel7 ~]# rm -rf /etc/pki/katello/nssdb
[root@sat-snap-rhel7 ~]# mv /etc/candlepin/certs/amqp /etc/candlepin/certs/amqp.bak
[root@sat-snap-rhel7 ~]# satellite-installer --reset
Redirecting to /bin/systemctl stop  httpd.service
Redirecting to /bin/systemctl stop  foreman-tasks.service




Redirecting to /bin/systemctl stop  tomcat.service

could not change directory to "/root"


Redirecting to /bin/systemctl stop  httpd.service

Redirecting to /bin/systemctl stop  mongod.service


Redirecting to /bin/systemctl start  mongod.service


Installing             Done                                               [100%] [...............................................................................................................................]
  Success!
  * Satellite is running at https://sat-snap-rhel7.example.com
  * To install additional capsule on separate machine continue by running:

      capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar "~/$CAPSULE-certs.tar"

  The full log is at /var/log/foreman-installer/satellite.log
[root@sat-snap-rhel7 ~]# capsule-certs-generate --capsule-fqdn capsule-snap-rhel7.example.com --certs-tar ~/capsule-snap-rhel7.example.com.tar.gz
Installing             Done                                               [100%] [...............................................................................................................................]
  Success!

  To finish the installation, follow these steps:

  If you do not have the capsule registered to the Satellite instance, then please do the following:

  1. yum -y localinstall http://sat-snap-rhel7.example.com/pub/katello-ca-consumer-latest.noarch.rpm
  2. subscription-manager register --org "Default_Organization"

  Once this is completed run the steps below to start the capsule installation:

  1. Ensure that the satellite-capsule package is installed on the system.
  2. Copy /root/capsule-snap-rhel7.example.com.tar.gz to the system capsule-snap-rhel7.example.com
  3. Run the following commands on the capsule (possibly with the customized
     parameters, see satellite-installer --scenario capsule --help and
     documentation for more info on setting up additional services):

  satellite-installer --scenario capsule\
                    --capsule-parent-fqdn                         "sat-snap-rhel7.example.com"\
                    --foreman-proxy-register-in-foreman           "true"\
                    --foreman-proxy-foreman-base-url              "https://sat-snap-rhel7.example.com"\
                    --foreman-proxy-trusted-hosts                 "sat-snap-rhel7.example.com"\
                    --foreman-proxy-trusted-hosts                 "capsule-snap-rhel7.example.com"\
                    --foreman-proxy-oauth-consumer-key            "BRbNWyWK4V7hfss67AiPCCbnQ3KdEM3M"\
                    --foreman-proxy-oauth-consumer-secret         "jVwNJrEEDwyWnA2ci6P87wDQmoFZbHQH"\
                    --capsule-pulp-oauth-secret                   "5mzD8KbyNRMLD8ieo3iWcF6FUwbh4KC5"\
                    --capsule-certs-tar                           "/root/capsule-snap-rhel7.example.com.tar.gz"
  The full log is at /var/log/capsule-certs-generate.log
[root@sat-snap-rhel7 ~]# scp capsule-snap-rhel7.example.com.tar.gz vagrant.com:
capsule-snap-rhel7.example.com.tar.gz                                                                                                                                            100%   60KB  60.3KB/s   00:00    
[root@sat-snap-rhel7 ~]# logout
[vagrant@sat-snap-rhel7 ~]$ logout
Connection to 192.168.121.228 closed.
[forklift]$ vagrant ssh capsule-snap-rhel7
Last login: Fri Jul 15 14:18:50 2016 from 192.168.121.1
[vagrant@capsule-snap-rhel7 ~]$ sudo su -
[root@capsule-snap-rhel7 ~]# cp /home/vagrant/capsule-snap-rhel7.example.com.tar.gz .
cp: overwrite ‘./capsule-snap-rhel7.example.com.tar.gz’? y
[root@capsule-snap-rhel7 ~]# satellite-installer --scenario capsule\
>                     --capsule-parent-fqdn                         "sat-snap-rhel7.example.com"\
>                     --foreman-proxy-register-in-foreman           "true"\
>                     --foreman-proxy-foreman-base-url              "https://sat-snap-rhel7.example.com"\
>                     --foreman-proxy-trusted-hosts                 "sat-snap-rhel7.example.com"\
>                     --foreman-proxy-trusted-hosts                 "capsule-snap-rhel7.example.com"\
>                     --foreman-proxy-oauth-consumer-key            "BRbNWyWK4V7hfss67AiPCCbnQ3KdEM3M"\
>                     --foreman-proxy-oauth-consumer-secret         "jVwNJrEEDwyWnA2ci6P87wDQmoFZbHQH"\
>                     --capsule-pulp-oauth-secret                   "5mzD8KbyNRMLD8ieo3iWcF6FUwbh4KC5"\
>                     --capsule-certs-tar                           "/root/capsule-snap-rhel7.example.com.tar.gz"
Installing             Done                                               [100%] [...............................................................................................................................]
  Success!
  The full log is at /var/log/foreman-installer/capsule.log
--------
Comment 14 Martin Bacovsky 2016-07-15 15:07:26 UTC 
VERIFIED
sat6.2 snap20.1
Comment 15 Bryan Kearney 2016-07-27 11:24:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1501
Note You need to log in before you can comment on or make changes to this bug.