1346096 – pulp creates SSL/TLS certificates needs to be unique per instance or install but this value is created at install-time and not during the first run

Bug 1346096 - pulp creates SSL/TLS certificates needs to be unique per instance or install but this value is created at install-time and not during the first run

Summary: pulp creates SSL/TLS certificates needs to be unique per instance or install ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Pulp
Sub Component:
Version:	6.2.0
Hardware:	All
OS:	All
Priority:	high
Severity:	medium
Target Milestone:	Unspecified
Assignee:	satellite6-bugs
QA Contact:	Ivan Necas
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1346019
TreeView+	depends on / blocked

Reported:	2016-06-14 01:18 UTC by Kurt Seifried
Modified:	2021-04-06 17:57 UTC (History)
CC List:	15 users (show)
Fixed In Version:	pulp-2.13.0
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-02-21 16:51:07 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Pulp Redmine	2013	0	High	CLOSED - CURRENTRELEASE	SSL certs are created at install time, but should be at setup runtime	2017-04-27 14:06:16 UTC

Description Kurt Seifried 2016-06-14 01:18:10 UTC

Version-Release number of selected component (if applicable):

pulp-2.4.1-0.7.beta.el7sat but latest upstream also has it.

How reproducible:

Always.

postinstal:
  openssl genrsa -out $KEY_PATH 2048 &> /dev/null
  openssl rsa -in $KEY_PATH -pubout > $KEY_PATH_PUB 2> /dev/null



Steps to Reproduce:
1. Install to a container or image.
2. Run new instance of container or image.
3.

Actual results:

All container and image instances share the same key/cert.
Expected results:

Each instance should receive a unique key/cert.

Additional info:

This bug is being file because Product Security considers "first run problems" to be bugs with the source package and with the container or image only in the aggregate. This view is in collaboration with upstream Fedora. See: https://fedorahosted.org/fpc/ticket/506

The recommended resolution for services is to follow the "First-time Service Setup" pattern (see: https://fedoraproject.org/wiki/Packaging:Initial_Service_Setup ). Other packages may should use a runtime check and generation or similar procedure.

Comment 2 Michael Hrivnak 2016-06-15 13:07:19 UTC

Thanks for the report and the links. That's very helpful.

Comment 3 Kurt Seifried 2016-06-25 03:11:52 UTC

Just a note, the first run issue can also be handled through orchestration (e.g. OpenStack, CloudForms, OpenShift Enterprise and so on). But the certificate creation MUST be removed from the rpm install scripts.

Comment 5 pulp-infra@redhat.com 2016-11-21 18:53:23 UTC

The Pulp upstream bug status is at NEW. Updating the external tracker on this bug.

Comment 6 pulp-infra@redhat.com 2016-11-21 18:53:26 UTC

The Pulp upstream bug priority is at High. Updating the external tracker on this bug.

Comment 7 pulp-infra@redhat.com 2016-12-13 16:42:55 UTC

The Pulp upstream bug status is at ASSIGNED. Updating the external tracker on this bug.

Comment 8 pulp-infra@redhat.com 2016-12-16 00:48:59 UTC

The Pulp upstream bug status is at POST. Updating the external tracker on this bug.

Comment 9 pulp-infra@redhat.com 2017-03-21 19:19:28 UTC

The Pulp upstream bug status is at MODIFIED. Updating the external tracker on this bug.

Comment 10 pulp-infra@redhat.com 2017-03-21 19:33:36 UTC

All upstream Pulp bugs are at MODIFIED+. Moving this bug to POST.

Comment 12 pulp-infra@redhat.com 2017-04-19 21:34:42 UTC

The Pulp upstream bug status is at ON_QA. Updating the external tracker on this bug.

Comment 13 pulp-infra@redhat.com 2017-04-27 14:06:17 UTC

The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.

Comment 15 Ivan Necas 2017-08-30 14:59:59 UTC

Verification version: Satellite 6.3 Snap 13

Steps:

1. yum install -y satellite
2. check /etc/pki/pulp for generated keys

Result: the directory doesn't contain any keys after the rpms were installed

Comment 16 Bryan Kearney 2018-02-21 16:43:22 UTC

Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.

For information on the advisory, and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0336

Comment 17 Satellite Program 2018-02-21 16:51:07 UTC

Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
> 
> For information on the advisory, and where to find the updated files, follow the link below.
> 
> If the solution does not work for you, open a new bug report.
> 
> https://access.redhat.com/errata/RHSA-2018:0336

Note You need to log in before you can comment on or make changes to this bug.