Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1262073

Summary: Pulp tasks tries to connect to 127.0.0.1 instead of localhost hostname
Product: Red Hat Satellite Reporter: Stephen Benjamin <stbenjam>
Component: PulpAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED ERRATA QA Contact: Katello QA List <katello-qa-list>
Severity: medium Docs Contact:
Priority: unspecified    
Version: NightlyCC: bbuckingham, bkearney, bmbouter, cwelton, daviddavis, dkliban, ggainey, ipanova, jyejare, mhrivnak, pcreech, rchan, stbenjam, ttereshc
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-27 09:18:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1246263, 1252573    

Description Stephen Benjamin 2015-09-10 18:43:30 UTC 
Description of problem:

/etc/pulp/server.conf contains:

  [tasks] 
  broker_url: qpid://localhost:5671
  celery_require_ssl: true
  cacert: /etc/pki/katello/certs/katello-default-ca.crt
  keyfile: /etc/pki/katello/qpid_client_striped.crt
  certfile: /etc/pki/katello/qpid_client_striped.crt

However, pulp tries to connect to the IP and then claims the certificate doesn't match - the certificate DOES have a `localhost` CN.

Sep 10 14:42:06 katello-centos7-bats.example.com pulp[24219]: pulp.server.async.scheduler:ERROR: Connection hostname '127.0.0.1' does not match names from peer certificate: ['katello-centos7-bats.example.com', 'localhost', u'katello-centos7-bats.example.com']


Version-Release number of selected component (if applicable):
python-celery-3.1.11-1.el7.noarch
pulp-docker-plugins-1.0.1-1.el7.noarch
python-isodate-0.5.0-4.pulp.el7.noarch
pulp-nodes-common-2.6.2-1.el7.noarch
python-kombu-3.0.24-8.pulp.el7.noarch
python-pulp-docker-common-1.0.1-1.el7.noarch
pulp-server-2.6.2-1.el7.noarch
python-pulp-rpm-common-2.6.2-1.el7.noarch
python-rhsm-1.8.0-2.pulp.el7.x86_64
python-pulp-bindings-2.6.2-1.el7.noarch
python-pulp-puppet-common-2.6.2-1.el7.noarch
pulp-rpm-plugins-2.6.2-1.el7.noarch
pulp-katello-0.4-3.el7.noarch
rubygem-smart_proxy_pulp-1.0.1-2.el7.noarch
python-pulp-common-2.6.2-1.el7.noarch
pulp-selinux-2.6.2-1.el7.noarch
pulp-puppet-plugins-2.6.2-1.el7.noarch
pulp-puppet-tools-2.6.2-1.el7.noarch
pulp-nodes-parent-2.6.2-1.el7.noarch


How reproducible:
Always

Steps to Reproduce:
1. Configure pulp to connect to broker on localhost
2. Restart everything

Actual results:
Celery tries 127.0.0.1 for broker connection

Expected results:
Should use localhost


Additional info:
Comment 1 pulp-infra@redhat.com 2015-09-10 21:30:17 UTC 
The Pulp upstream bug status is at ASSIGNED. Updating the external tracker on this bug.
Comment 2 pulp-infra@redhat.com 2015-09-10 21:30:17 UTC 
The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.
Comment 4 pulp-infra@redhat.com 2015-10-02 18:30:22 UTC 
The Pulp upstream bug status is at POST. Updating the external tracker on this bug.
Comment 5 pulp-infra@redhat.com 2015-10-02 18:50:34 UTC 
The Pulp upstream bug status is at MODIFIED. Updating the external tracker on this bug.
Comment 6 Brian Bouterse 2015-10-02 19:06:06 UTC 
The commit associated with the upstream issue create 3.0.24-10. The commit should cherry pick cleanly on the upstream 3.0.24-9 release of python-kombu. If there are any issues applying the cherry pick, NEEDSINFO me.
Comment 7 pulp-infra@redhat.com 2015-10-22 15:00:43 UTC 
The Pulp upstream bug status is at ON_QA. Updating the external tracker on this bug.
Comment 8 pulp-infra@redhat.com 2015-11-06 20:00:25 UTC 
The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.
Comment 9 Bryan Kearney 2016-01-04 15:28:28 UTC 
Moving this to POST. Please verify once 2.7 or greater is incorporated into the build.
Comment 12 Jitendra Yejare 2016-04-15 11:33:03 UTC 
Verified this issue on Sat 6.2 snap 8.1

I see that pulp is trying to connect to localhost and not to IP:
ERROR: ("Connection hostname 'localhost' does not match names from peer certificate: ['qeblade36.rhq.lab.eng.bos.redhat.com', u'qeblade36.rhq.lab.eng.bos.redhat.com']",)


But I see still error related to this change of broker url to 'localhost' as above and also this:
Apr 15 07:21:38 qeblade36 pulp: celery.worker.consumer:ERROR: (25749-58496) consumer: Cannot connect to qpid://localhost:5671//: ("Connection hostname 'localhost' does not match names from peer certificate: ['qeblade36.rhq.lab.eng.bos.redhat.com', u'qeblade36.rhq.lab.eng.bos.redhat.com']",).

And as per my opinion, these errors looks out of contest of this bug. And the main issue of connecting to localhost is solved.

Please feel free to reopen the bug, if I am wrong.
Comment 13 Jitendra Yejare 2016-04-15 11:40:17 UTC 
Moving this to Assigned.

I further explore the impacts and I see that enabling Redhat Repos is failing with error - ' There was an issue with the backend service pulp: No pulp workers running.' due to see this change.

And I believe this change is blocking and impacting the satelltie server as pulp workers are not running.

So changing this to 'Failed QA'
Comment 14 Stephen Benjamin 2016-04-15 12:53:05 UTC 
Ah sorry, this probably should've just been marked as a dev task and not QE'd.  It was just a bug fix in an underlying library that's needed for another BZ.

I think you can mark this VERIFIED. 

Your test did verify the change worked. Previously, if you put localhost as the qpid URL, pulp would replace it with 127.0.0.1 and do all the SSL verification against that.  Your test shows it's keeping the 'localhost' name.

The certificate issue is totally expected.

https://bugzilla.redhat.com/show_bug.cgi?id=1252573 is where we'll change the default to connect to localhost and update the certificates.
Comment 15 Jitendra Yejare 2016-04-18 06:40:51 UTC 
Moving this to verified as per comment 14 from Stephen.

Thanks Stephen for the explanation.
Comment 17 errata-xmlrpc 2016-07-27 09:18:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1501