Bug 1356697 - Unable to create a new v2_key when the old one is removed
Summary: Unable to create a new v2_key when the old one is removed
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance
Version: 5.5.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: GA
: 5.7.0
Assignee: Keenan Brock
QA Contact: luke couzens
URL:
Whiteboard: appliance:cli:black
Depends On:
Blocks: 1357520
TreeView+ depends on / blocked
 
Reported: 2016-07-14 18:47 UTC by Jan Krocil
Modified: 2021-06-10 20:11 UTC (History)
8 users (show)

Fixed In Version: 5.7.0.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1357520 (view as bug list)
Environment:
Last Closed: 2017-01-11 20:06:29 UTC
Category: ---
Cloudforms Team: ---
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Comment 3 Keenan Brock 2016-07-15 20:52:21 UTC 
Jan

this is a bogus warning.

1. remove the certs/v2_key
2. run bundle exec ruby tools/fix_auth.rb --key

It will throw a warning about missing a v2_key
BUT, you will notice the file was created.


Having said that, I did fix the problem. Not sure if it will get into the 5.5.z world.

https://github.com/ManageIQ/manageiq/pull/9863
Comment 4 Keenan Brock 2016-07-15 20:55:46 UTC 
1. I'm seeing this warning in 5.5.5.2 and master
2. Is it generating the key for you? I'm seeing it generate the key for both versions
Comment 6 CFME Bot 2016-07-15 22:40:45 UTC 
New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/dd103d713c571b5649ba610559a04764a1c8a758

commit dd103d713c571b5649ba610559a04764a1c8a758
Author:     Keenan Brock <kbrock>
AuthorDate: Fri Jul 15 16:47:18 2016 -0400
Commit:     Keenan Brock <kbrock>
CommitDate: Fri Jul 15 17:29:59 2016 -0400

    Don't load keys when generating keys
    
    Don't display a warning that the `v2_key` does not exist if we are in the process of generating the key.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1356697
    
    details:
    
    To generate a new appliance encryption key (aka `v2_key`), a user removes and adds a key:
    
    ```
    mv certs/v2_key certs/v2_key.old
    bundle exec ruby tools/fix_auth.rb --key
    ```
    
    This displays a warning, and looks like it fails but the key is generated:
    
    ```
    On an appliance, it should be generated on boot by evmserverd.
    
    If you're a developer, you can copy the certs/v2_key.dev to certs/v2_key.
    
    Caution, using the developer key will allow anyone with the public developer key to decrypt the two-way
    passwords in your database.
    ```
    
    Now if the user had not deleted the old `certs/v2_key` then it would throw and error and
     not generate a new `v2_key`. But if you note, it is very hard for the user to know if this is a problem or not:
    
    ```
    Only generate one encryption_key (v2_key) per installation.
    Chances are you did not want to overwrite this file.
    If you do this all encrypted secrets in the database will not be readable.
    Please backup your key and run again.
    
    tools/fix_auth/fix_auth.rb:50:in `rescue in generate_password': File exists - File exists @ rb_sysopen - certs/v2_key (Errno::EEXIST)
      from tools/fix_auth/fix_auth.rb:42:in `generate_password'
      from tools/fix_auth/fix_auth.rb:90:in `run'
      from tools/fix_auth/cli.rb:37:in `run'
      from tools/fix_auth/cli.rb:41:in `run'
      from ./tools/fix_auth.rb:24:in `<main>'
    ```
    
    Solution is to not show the warning if in the process of generating the key

 tools/fix_auth/fix_auth.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 7 Keenan Brock 2016-07-18 01:03:27 UTC 
fixed on 5.6 and 5.7

Let me know if you need anything else

--K
Comment 9 luke couzens 2016-09-21 14:13:02 UTC 
Verified in 5.7.0.0
Note You need to log in before you can comment on or make changes to this bug.