Bug 1356955 - When default-ca is updated, it doesn't update the nssdb
Summary: When default-ca is updated, it doesn't update the nssdb
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Installer
Version: 6.2.0
Hardware: Unspecified
OS: Unspecified
medium
medium vote
Target Milestone: Unspecified
Assignee: Ivan Necas
QA Contact: Lukas Pramuk
URL:
Whiteboard:
Depends On: 1218251
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-15 11:15 UTC by Ivan Necas
Modified: 2019-11-14 08:43 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-02-21 16:59:39 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Foreman Issue Tracker 15700 None None None 2016-07-15 11:23:38 UTC

Description Ivan Necas 2016-07-15 11:15:22 UTC
Description of problem:
When a new default-ca gets generated (which should be pretty rare case)
and can happen for example when the /root/ssl-build directory is removed
without a backup, the installer generates a new ca, but it fails
updating the nssdb with the new ca, which causes issues when connecting
to qpid later.

Version-Release number of selected component (if applicable):


Steps to Reproduce:
1. satellite-installer --scenario=satellite
2. rm -rf /root/ssl-build
3. satellite-installer


Actual results:

qpid-config --ssl-certificate /etc/pki/katello/certs/java-client.crt --ssl-key /etc/pki/katello/private/java-client.key -b 'amqps://sat-snap-rhel7.example.com:5671' add exchange topic event --durable returned 1 instead of one of [0]
 /Stage[main]/Certs::Candlepin/Exec[create candlepin qpid exchange]/returns: change from notrun to 0 failed: qpid-config --ssl-certificate /etc/pki/katello/certs/java-client.crt --ssl-key /etc/pki/katello/private/java-client.key -b 'amqps://sat-snap-rhel7.example.com:5671' add exchange topic event --durable returned 1 instead of one of [0]
 /Stage[main]/Certs::Candlepin/Exec[create candlepin qpid exchange]: Failed to call refresh: qpid-config --ssl-certificate /etc/pki/katello/certs/java-client.crt --ssl-key /etc/pki/katello/private/java-client.key -b 'amqps://sat-snap-rhel7.example.com:5671' add exchange topic event --durable returned 1 instead of one of [0]
 /Stage[main]/Certs::Candlepin/Exec[create candlepin qpid exchange]: qpid-config --ssl-certificate /etc/pki/katello/certs/java-client.crt --ssl-key /etc/pki/katello/private/java-client.key -b 'amqps://sat-snap-rhel7.example.com:5671' add exchange topic event --durable returned 1 instead of one of [0]


Expected results:

the new ca is deployed successfully

Comment 1 Ivan Necas 2016-07-15 11:22:43 UTC
A workaround is

   rm -rf /etc/pki/katello/nssdb
   satellite-installer

this makes sure the nssdb is recreated with valid certificates

Comment 2 Ivan Necas 2016-07-15 11:23:36 UTC
Created redmine issue http://projects.theforeman.org/issues/15700 from this bug

Comment 3 Bryan Kearney 2016-07-15 14:16:08 UTC
Upstream bug assigned to inecas@redhat.com

Comment 4 Bryan Kearney 2016-07-15 14:16:10 UTC
Upstream bug assigned to inecas@redhat.com

Comment 6 Bryan Kearney 2016-10-12 20:09:25 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/15700 has been resolved.

Comment 7 Lukas Pramuk 2017-06-23 12:10:12 UTC
VERIFIED.

@satellite-6.3.0-15.0.beta.el7sat.noarch
katello-installer-base-3.4.1.3-1.el7sat.noarch

by manual reproducer in comment#0


3. # satellite-installer
Installing             Done                                               [100%] [.....................................]
  Success!
  * Katello is running at https://SATFQDN
  * To install an additional Foreman proxy on separate machine continue by running:

      foreman-proxy-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY" --certs-tar "/root/$FOREMAN_PROXY-certs.tar"

  The full log is at /var/log/foreman-installer/satellite.log

>>> after certs storage removal in /root/ssl-build the other certs are generated aswell

Comment 8 Bryan Kearney 2018-02-21 16:59:39 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.

For information on the advisory, and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0336


Note You need to log in before you can comment on or make changes to this bug.