Bug 1259880 - Download of kickstart file over https fails
Summary: Download of kickstart file over https fails
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: anaconda
Version: 6.7
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Brian Lane
QA Contact: Release Test Team
Clayton Spicer
URL:
Whiteboard:
Depends On:
Blocks: 1269957
TreeView+ depends on / blocked
 
Reported: 2015-09-03 17:26 UTC by Hubert Kario
Modified: 2020-05-14 15:01 UTC (History)
11 users (show)

Fixed In Version: anaconda-13.21.249-1
Doc Type: Enhancement
Doc Text:
Using an HTTPS source for kickstart files is now supported With this update, it is now possible to specify HTTPS sources for kickstart files.
Clone Of:
Environment:
Last Closed: 2016-05-10 20:45:53 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1341280 0 high CLOSED Anaconda can not install with 'fips=1' and 'ks=https://kickstart' in the kernel line, the SSL negotiation fails 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2016:0798 0 normal SHIPPED_LIVE anaconda bug fix and enhancement update 2016-05-10 22:37:41 UTC

Internal Links: 1341280

Description Hubert Kario 2015-09-03 17:26:03 UTC 
Description of problem:
When using recent RHEL-6 composes, e.g. RHEL-6.7-20150710.n.0 and RHEL-6.7-20150519.0, specifying a kickstart file over https makes the installation fail.

Version-Release number of selected component (if applicable):
RHEL-6.7-20150710.n.0

How reproducible:
always

Steps to Reproduce:
1. Run installation with ks=https://www.redhat.com/

Actual results:
In 3rd VT:
   Error downloading https://www.redhat.com/: Problem with the SSL CA cert (path? access rights?)

But using wireshark on the VM I don't see any TLS communication, just a TCP connection getting opened and then right away closed, so there's no way for the server TLS configuration to have any effect on the download.

Expected results:
anaconda being able to download kickstart file over HTTPS

Additional info:
This is a regression from bug 696696. This functionality is also described as working in https://access.redhat.com/solutions/1016

I'm guessing that the root cause is anaconda being unable to locate/initialize/load the system trust store with CA certificates. In other words, related to bug 1182297.
Comment 3 Brian Lane 2015-09-03 19:37:17 UTC 
Proposed patch to add ca-bundle.crt to initrd.

https://github.com/rhinstaller/anaconda/pull/343
Comment 7 Brian Lane 2016-02-24 00:00:06 UTC 
https://github.com/rhinstaller/anaconda/pull/520 should fix it, sorry about that.
Comment 8 Brian Lane 2016-02-24 15:30:58 UTC 
Note that the commit was pushed with the wrong bz# in the commit message (1303855).
Comment 11 Jan Stodola 2016-03-14 09:27:57 UTC 
Retested with anaconda-13.21.249-1.el6, ca-bundle.crt is present in initrd.img:

$ lsinitrd initrd.img | grep ca-bundle.crt
-rw-r--r--   1 root     root       863389 Mar  8 19:25 etc/pki/tls/certs/ca-bundle.crt
$

With "ks=https://www.redhat.com/" on the kernel command line, anaconda downloaded the file without errors and tried to use it (which failed as expected).

Moving to VERIFIED.
Comment 13 errata-xmlrpc 2016-05-10 20:45:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0798.html
Comment 15 Michal Kovarik 2016-07-25 11:18:19 UTC 
See bug 1341280
Note You need to log in before you can comment on or make changes to this bug.