Bug 1259880 - Download of kickstart file over https fails
Download of kickstart file over https fails
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: anaconda (Show other bugs)
Unspecified Unspecified
high Severity high
: rc
: ---
Assigned To: Brian Lane
Release Test Team
Clayton Spicer
Depends On:
Blocks: 1269957
  Show dependency treegraph
Reported: 2015-09-03 13:26 EDT by Hubert Kario
Modified: 2017-03-31 19:33 EDT (History)
11 users (show)

See Also:
Fixed In Version: anaconda-13.21.249-1
Doc Type: Enhancement
Doc Text:
Using an HTTPS source for kickstart files is now supported With this update, it is now possible to specify HTTPS sources for kickstart files.
Story Points: ---
Clone Of:
Last Closed: 2016-05-10 16:45:53 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:0798 normal SHIPPED_LIVE anaconda bug fix and enhancement update 2016-05-10 18:37:41 EDT

  None (edit)
Description Hubert Kario 2015-09-03 13:26:03 EDT
Description of problem:
When using recent RHEL-6 composes, e.g. RHEL-6.7-20150710.n.0 and RHEL-6.7-20150519.0, specifying a kickstart file over https makes the installation fail.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Run installation with ks=https://www.redhat.com/

Actual results:
In 3rd VT:
   Error downloading https://www.redhat.com/: Problem with the SSL CA cert (path? access rights?)

But using wireshark on the VM I don't see any TLS communication, just a TCP connection getting opened and then right away closed, so there's no way for the server TLS configuration to have any effect on the download.

Expected results:
anaconda being able to download kickstart file over HTTPS

Additional info:
This is a regression from bug 696696. This functionality is also described as working in https://access.redhat.com/solutions/1016

I'm guessing that the root cause is anaconda being unable to locate/initialize/load the system trust store with CA certificates. In other words, related to bug 1182297.
Comment 3 Brian Lane 2015-09-03 15:37:17 EDT
Proposed patch to add ca-bundle.crt to initrd.

Comment 7 Brian Lane 2016-02-23 19:00:06 EST
https://github.com/rhinstaller/anaconda/pull/520 should fix it, sorry about that.
Comment 8 Brian Lane 2016-02-24 10:30:58 EST
Note that the commit was pushed with the wrong bz# in the commit message (1303855).
Comment 11 Jan Stodola 2016-03-14 05:27:57 EDT
Retested with anaconda-13.21.249-1.el6, ca-bundle.crt is present in initrd.img:

$ lsinitrd initrd.img | grep ca-bundle.crt
-rw-r--r--   1 root     root       863389 Mar  8 19:25 etc/pki/tls/certs/ca-bundle.crt

With "ks=https://www.redhat.com/" on the kernel command line, anaconda downloaded the file without errors and tried to use it (which failed as expected).

Moving to VERIFIED.
Comment 13 errata-xmlrpc 2016-05-10 16:45:53 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

Comment 15 Michal Kovarik 2016-07-25 07:18:19 EDT
See bug 1341280

Note You need to log in before you can comment on or make changes to this bug.