Hide Forgot
Description of problem: Currently, tog-pegasus stores SSL certificates in /etc/Pegasus directory. There is a requset to move them to better place (at least beacause of SELinux), see rhbz#1308809. It seems reasonable to move them to /etc/pki/Pegasus. However, wbemcli has /etc/Pegasus hardcoded as default path to required certificate 'client.pem'. If the path changes, common https connection (without '-noverify' flag) will fail: # wbemcli ei -nl 'https://root:$PASS@localhost:5989/root/cimv2:PG_OperatingSystem' * * wbemcli: Http Exception: Could not open CA certificate file: /etc/Pegasus/client.pem (No such file or directory) * Of course, it could be fixed by '-cacert /etc/pki/Pegasus' (or '-noverify'), but until that time any script using wbemcli would be broken - regression.
I tried to reproduce this by running TC#289077 /CoreOS/sblim/tools/wbemcli-command-segfaults-when-called-with-https-scheme on a RHEL-7.4 compose with downgraded wbemcli: # rpm -ql tog-pegasus | grep pem$ /etc/pki/Pegasus/client.pem /etc/pki/Pegasus/file.pem /etc/pki/Pegasus/server.pem /etc/pki/ca-trust/source/anchors/localhost-pegasus.pem # rpm -q tog-pegasus sblim-wbemcli tog-pegasus-2.14.1-5.el7.x86_64 sblim-wbemcli-1.6.2-10.el7.x86_64 # I get different message, though: :: [ BEGIN ] :: Running 'wbemcli ei 'https://pegasus:test@localhost:5989/root/cimv2:Linux_BlockStorageStatisticalData' > TESTOUT' * * wbemcli: Http Exception: Problem with the SSL CA cert (path? access rights?) * Is it possible that the error message has changed? Or I'm doing something wrong?
(In reply to Alois Mahdal from comment #4) > > Is it possible that the error message has changed? Or I'm doing something > wrong? The message in comment#1 is from the latest version of sblim-wbemcli and it differs from the version shipped within RHEL7.
OK, so I tried running a slightly modified version of test TC#289077 (just to run something with HTTPS) with following version combinations: tog-pegasus | sblim-wbemcli || result ==============|===============||======== 2.14.1-3.el7 | 1.6.2-10.el7 || pass 2.14.1-3.el7 | 1.6.2-11.el7 || fail 2.14.1-5.el7 | 1.6.2-10.el7 || fail 2.14.1-5.el7 | 1.6.2-11.el7 || pass This is expected behavior: if tog-pegasus is updated, sblim-wbemcli must be updated as well. (Errata dependencies are set in a way that guarrantees that either both or none will be available at the same time.)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1970