Description of problem: When a new default-ca gets generated (which should be pretty rare case) and can happen for example when the /root/ssl-build directory is removed without a backup, the installer generates a new ca, but it fails updating the nssdb with the new ca, which causes issues when connecting to qpid later. Version-Release number of selected component (if applicable): Steps to Reproduce: 1. satellite-installer --scenario=satellite 2. rm -rf /root/ssl-build 3. satellite-installer Actual results: qpid-config --ssl-certificate /etc/pki/katello/certs/java-client.crt --ssl-key /etc/pki/katello/private/java-client.key -b 'amqps://sat-snap-rhel7.example.com:5671' add exchange topic event --durable returned 1 instead of one of [0] /Stage[main]/Certs::Candlepin/Exec[create candlepin qpid exchange]/returns: change from notrun to 0 failed: qpid-config --ssl-certificate /etc/pki/katello/certs/java-client.crt --ssl-key /etc/pki/katello/private/java-client.key -b 'amqps://sat-snap-rhel7.example.com:5671' add exchange topic event --durable returned 1 instead of one of [0] /Stage[main]/Certs::Candlepin/Exec[create candlepin qpid exchange]: Failed to call refresh: qpid-config --ssl-certificate /etc/pki/katello/certs/java-client.crt --ssl-key /etc/pki/katello/private/java-client.key -b 'amqps://sat-snap-rhel7.example.com:5671' add exchange topic event --durable returned 1 instead of one of [0] /Stage[main]/Certs::Candlepin/Exec[create candlepin qpid exchange]: qpid-config --ssl-certificate /etc/pki/katello/certs/java-client.crt --ssl-key /etc/pki/katello/private/java-client.key -b 'amqps://sat-snap-rhel7.example.com:5671' add exchange topic event --durable returned 1 instead of one of [0] Expected results: the new ca is deployed successfully
A workaround is rm -rf /etc/pki/katello/nssdb satellite-installer this makes sure the nssdb is recreated with valid certificates
Created redmine issue http://projects.theforeman.org/issues/15700 from this bug
Upstream bug assigned to inecas
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/15700 has been resolved.
VERIFIED. @satellite-6.3.0-15.0.beta.el7sat.noarch katello-installer-base-3.4.1.3-1.el7sat.noarch by manual reproducer in comment#0 3. # satellite-installer Installing Done [100%] [.....................................] Success! * Katello is running at https://SATFQDN * To install an additional Foreman proxy on separate machine continue by running: foreman-proxy-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY" --certs-tar "/root/$FOREMAN_PROXY-certs.tar" The full log is at /var/log/foreman-installer/satellite.log >>> after certs storage removal in /root/ssl-build the other certs are generated aswell
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:0336