Bug 1221749 - Puppet content promotion fails if there is no reverse DNS entry
Summary: Puppet content promotion fails if there is no reverse DNS entry
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Installer
Version: 6.1.0
Hardware: Unspecified
OS: Unspecified
unspecified vote
Target Milestone: Unspecified
Assignee: Chris Roberts
QA Contact: Katello QA List
Depends On:
Blocks: sat61-release-notes
TreeView+ depends on / blocked
Reported: 2015-05-14 18:03 UTC by Lukas Zapletal
Modified: 2016-08-25 16:43 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2016-08-25 16:43:23 UTC

Attachments (Terms of Use)

Description Lukas Zapletal 2015-05-14 18:03:59 UTC
Create a CV with at least one module and promote it on a system that does not have reverse DNS record (e.g. some beaker machines):

E, [2015-05-14T13:56:31.419762 #23462] ERROR -- : Unable to resolve hostname for connecting client - If it's to be a trusted host, ensure it has a reverse DNS entry.

There is currently no workaround for this, you cannot continue until you fix this.

We should either:

A) Give the user some way to workaround this (extra switch)


B) Error out before installation if reverse DNS is not set (I was under imporession we already do this, apparently this is not working for Beta).

Comment 1 Lukas Zapletal 2015-05-14 18:10:47 UTC
Upstream in the authorize_with_trusted_hosts method we already introduce a "forward_verify" flag. We need to backport this and to introduce another one "reverse_verify". Both flags are a decent workaround for all cases.

Comment 2 RHEL Product and Program Management 2015-05-14 18:22:38 UTC
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

Comment 5 Bryan Kearney 2016-07-26 15:25:24 UTC
Moving 6.2 bugs out to sat-backlog.

Comment 6 Bryan Kearney 2016-07-26 15:45:10 UTC
Moving 6.2 bugs out to sat-backlog.

Comment 8 Stephen Benjamin 2016-08-25 16:43:23 UTC
I tested this and this works fine, reverse DNS is only a fallback.  The proxy looks at the CN of the certificate now in trusted hosts first, so even if customer reverse DNS is broken, promotion still works.

Note You need to log in before you can comment on or make changes to this bug.