Bug 1306964 - Installer answer file contains wrong path to the 'server_ssl_chain' file.
Installer answer file contains wrong path to the 'server_ssl_chain' file.
Status: CLOSED ERRATA
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Installer (Show other bugs)
6.1.6
x86_64 Linux
medium Severity low (vote)
: GA
: --
Assigned To: Ivan Necas
Evgeni Golov
http://projects.theforeman.org/issues...
: Triaged
: 1249160 1402011 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-12 05:07 EST by Marcel Gazdík
Modified: 2018-02-21 11:54 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-02-21 11:54:17 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Foreman Issue Tracker 13687 None None None 2016-04-26 12:54 EDT

  None (edit)
Description Marcel Gazdík 2016-02-12 05:07:09 EST
Description of problem:
  Customer is trying to use custom certificate authority chain file. Despite of all the changes made in 
certificate files, the path to SSL chain file in apache configuration file 05-foreman-ssl.conf is wrong.
Instead of pointing to the katello-default-ca.crt it should pointing to katello-server-ca.crt where
the custom chain file is saved.


Version-Release number of selected component (if applicable):
6.1.6 

How reproducible:
Install the satellite and apply custom certificates.

Steps to Reproduce:
1. Install satellite 
2. Run katello-installer to modify the certificates
  katello-installer --certs-server-cert "/root/$SAT.crt" \
  --certs-server-cert-req "/root/$SAT.csr" \
  --certs-server-key "/root/$SAT.key" \
  --certs-server-ca-cert '/root/new_ca.crt' \
  --certs-update-server \
  --certs-update-server-ca
3. Check path to the SSL certificate chain file in the '/etc/httpd/conf.d/05-foreman-ssl.conf' file.

Actual results:
The 'SSLCertificateChainFile' option in the '/etc/httpd/conf.d/05-foreman-ssl.conf' files points 
to 'katello-default-ca.crt' instead of 'katello-server-ca.crt'

$ grep SSLCertificateChainFile /etc/httpd/conf.d/05-foreman-ssl.conf -A 1 -B 1
  SSLCertificateKeyFile   "/etc/pki/katello/private/katello-apache.key"
  SSLCertificateChainFile "/etc/pki/katello/certs/katello-default-ca.crt"
  SSLCACertificatePath    "/etc/pki/tls/certs"

Source of this error can be found in the katello-installer answer file:

$ grep server_ssl_chain /etc/katello-installer/answers.katello-installer.yaml -A 1 -B 1
    server_ssl_ca: /etc/pki/katello/certs/katello-default-ca.crt
    server_ssl_chain: /etc/pki/katello/certs/katello-default-ca.crt
    server_ssl_cert: /etc/pki/katello/certs/katello-apache.crt


Expected results:

Modification of the '/etc/katello-installer/answers.katello-installer.yaml' file will lead to correct 
path to the SSL certificate chain file in the '/etc/httpd/conf.d/05-foreman-ssl.conf'

$ grep server_ssl_chain /etc/katello-installer/answers.katello-installer.yaml -A 1 -B 1
    server_ssl_ca: /etc/pki/katello/certs/katello-default-ca.crt
    server_ssl_chain: /etc/pki/katello/certs/katello-server-ca.crt
    server_ssl_cert: /etc/pki/katello/certs/katello-apache.crt

$ grep SSLCertificateChainFile /etc/httpd/conf.d/05-foreman-ssl.conf -A 1 -B 1
  SSLCertificateKeyFile   "/etc/pki/katello/private/katello-apache.key"
  SSLCertificateChainFile "/etc/pki/katello/certs/katello-server-ca.crt"
  SSLCACertificatePath    "/etc/pki/tls/certs"



Additional info: (workaround)

Modify the answer file:
sed -i -e 's/server_ssl_chain: \/etc\/pki\/katello\/certs\/katello-default-ca.crt/server_ssl_chain: \/etc\/pki\/katello\/certs\/katello-server-ca.crt/' /etc/katello-installer/answers.katello-installer.yaml

re-run katello-installer without parameters.
Comment 1 Ivan Necas 2016-02-12 08:28:42 EST
Created redmine issue http://projects.theforeman.org/issues/13687 from this bug
Comment 2 Ivan Necas 2016-02-12 08:36:15 EST
Patch sent into the upstream installer https://github.com/Katello/katello-installer/pull/296
Comment 4 Bryan Kearney 2016-07-26 11:25:24 EDT
Moving 6.2 bugs out to sat-backlog.
Comment 5 Bryan Kearney 2016-07-26 11:36:22 EDT
Moving 6.2 bugs out to sat-backlog.
Comment 7 Bryan Kearney 2016-08-02 10:12:25 EDT
Moving to POST since upstream bug http://projects.theforeman.org/issues/13687 has been closed
Comment 9 Ivan Necas 2016-08-16 07:11:05 EDT
*** Bug 1249160 has been marked as a duplicate of this bug. ***
Comment 11 Stephen Benjamin 2016-12-06 11:18:00 EST
*** Bug 1402011 has been marked as a duplicate of this bug. ***
Comment 12 Evgeni Golov 2017-08-23 09:51:38 EDT
VERIFIED

Version Tested: Satellite 6.3.0 Snap 12

The answers file and the httpd config now contain the right cert file:

[root@sat63-qa-rhel7 ~]# grep SSLCertificateChainFile /etc/httpd/conf.d/05-foreman-ssl.conf -A 1 -B 1
  SSLCertificateKeyFile   "/etc/pki/katello/private/katello-apache.key"
  SSLCertificateChainFile "/etc/pki/katello/certs/katello-server-ca.crt"
  SSLCACertificateFile    "/etc/pki/katello/certs/katello-default-ca.crt"

[root@sat63-qa-rhel7 ~]# grep server_ssl_chain /etc/foreman-installer/scenarios.d/katello-answers.yaml -A 1 -B 1
  server_ssl_ca: /etc/pki/katello/certs/katello-default-ca.crt
  server_ssl_chain: /etc/pki/katello/certs/katello-server-ca.crt
  server_ssl_crl: ''

[root@sat63-qa-rhel7 ~]# grep server_ssl_chain /etc/foreman-installer/scenarios.d/satellite-answers.yaml -A 1 -B 1
    server_ssl_ca: /etc/pki/katello/certs/katello-default-ca.crt
    server_ssl_chain: /etc/pki/katello/certs/katello-server-ca.crt
    server_ssl_cert: /etc/pki/katello/certs/katello-apache.crt
Comment 13 pm-sat@redhat.com 2018-02-21 11:54:17 EST
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
> 
> For information on the advisory, and where to find the updated files, follow the link below.
> 
> If the solution does not work for you, open a new bug report.
> 
> https://access.redhat.com/errata/RHSA-2018:0336

Note You need to log in before you can comment on or make changes to this bug.