Red Hat Bugzilla – Bug 1259880
Download of kickstart file over https fails
Last modified: 2017-03-31 19:33:13 EDT
Description of problem:
When using recent RHEL-6 composes, e.g. RHEL-6.7-20150710.n.0 and RHEL-6.7-20150519.0, specifying a kickstart file over https makes the installation fail.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Run installation with ks=https://www.redhat.com/
In 3rd VT:
Error downloading https://www.redhat.com/: Problem with the SSL CA cert (path? access rights?)
But using wireshark on the VM I don't see any TLS communication, just a TCP connection getting opened and then right away closed, so there's no way for the server TLS configuration to have any effect on the download.
anaconda being able to download kickstart file over HTTPS
This is a regression from bug 696696. This functionality is also described as working in https://access.redhat.com/solutions/1016
I'm guessing that the root cause is anaconda being unable to locate/initialize/load the system trust store with CA certificates. In other words, related to bug 1182297.
Proposed patch to add ca-bundle.crt to initrd.
https://github.com/rhinstaller/anaconda/pull/520 should fix it, sorry about that.
Note that the commit was pushed with the wrong bz# in the commit message (1303855).
Retested with anaconda-13.21.249-1.el6, ca-bundle.crt is present in initrd.img:
$ lsinitrd initrd.img | grep ca-bundle.crt
-rw-r--r-- 1 root root 863389 Mar 8 19:25 etc/pki/tls/certs/ca-bundle.crt
With "ks=https://www.redhat.com/" on the kernel command line, anaconda downloaded the file without errors and tried to use it (which failed as expected).
Moving to VERIFIED.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
See bug 1341280