Red Hat Bugzilla – Bug 1370169
Satellite 6.2 is unable to download CA certificate from RHEV 4.0
Last modified: 2017-05-01 09:53:56 EDT
Description of problem: When adding a RHV4 compute resource, the requrired X509 Certification Authorities is not loaded automatically. Version-Release number of selected component (if applicable): foreman 1.11.0.49 How reproducible: always Steps to Reproduce: 1. add new compute resource type RHEV with RHV-4.0 backend Actual results: X509 field contains error message <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /ca.crt was not found on this server.</p> </body></html> Expected results: proper x509 cert Additional info: The URL to download the ca.crt must be changed into http://rhv4-fqdn//ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA
Connecting redmine issue http://projects.theforeman.org/issues/15163 from this bug
Moving to POST since upstream bug http://projects.theforeman.org/issues/15163 has been closed
*** Bug 1375602 has been marked as a duplicate of this bug. ***
I managed to get past the ca.crt was not found on this server error by manually pasting in the ca crt. My next problem though is I get a "404 Resource Not Found" error on the URL line. Has the https://satellite.example.com/api URL changed as well or is this still somehow related to the certificate error?
Hey Steven, I was hitting the same issue. I was able to fix it by using the below in the url field. https://rhevm.example.com/ovirt-engine/api I am now hitting a new Error though "undefined method `+' for nil:NilClass". This happens when clicking the "load datacenters" button.
Confirmed as well. As of satellite-6.2.3-1.0.el7sat adding a RHEV4 compute resources fails to use the correct method to get the server certificate. If you manually paste the extracted ca.crt into the certificate box in the GUI it then fails with 2016-10-27 16:46:02 [app] [W] Action failed | NoMethodError: undefined method `+' for nil:NilClass | /opt/theforeman/tfm/root/usr/share/gems/gems/rbovirt-0.0.37/lib/ovirt/base_object.rb:13:in `parse_version' | /opt/theforeman/tfm/root/usr/share/gems/gems/rbovirt-0.0.37/lib/ovirt/datacenter.rb:21:in `block in parse_xml_attributes!' | /opt/theforeman/tfm/root/usr/share/gems/gems/nokogiri-1.6.6.2/lib/nokogiri/xml/node_set.rb:187:in `block in each' | /opt/theforeman/tfm/root/usr/share/gems/gems/nokogiri-1.6.6.2/lib/nokogiri/xml/node_set.rb:186:in `upto' | /opt/theforeman/tfm/root/usr/share/gems/gems/nokogiri-1.6.6.2/lib/nokogiri/xml/node_set.rb:186:in `each' | /opt/theforeman/tfm/root/usr/share/gems/gems/rbovirt-0.0.37/lib/ovirt/datacenter.rb:20:in `collect' | /opt/theforeman/tfm/root/usr/share/gems/gems/rbovirt-0.0.37/lib/ovirt/datacenter.rb:20:in `parse_xml_attributes!' | /opt/theforeman/tfm/root/usr/share/gems/gems/rbovirt-0.0.37/lib/ovirt/datacenter.rb:8:in `initialize' | /opt/theforeman/tfm/root/usr/share/gems/gems/rbovirt-0.0.37/lib/client/datacenter_api.rb:16:in `new' | /opt/theforeman/tfm/root/usr/share/gems/gems/rbovirt-0.0.37/lib/client/datacenter_api.rb:16:in `block in datacenters' | /opt/theforeman/tfm/root/usr/share/gems/gems/nokogiri-1.6.6.2/lib/nokogiri/xml/node_set.rb:187:in `block in each' | /opt/theforeman/tfm/root/usr/share/gems/gems/nokogiri-1.6.6.2/lib/nokogiri/xml/node_set.rb:186:in `upto' | /opt/theforeman/tfm/root/usr/share/gems/gems/nokogiri-1.6.6.2/lib/nokogiri/xml/node_set.rb:186:in `each' | /opt/theforeman/tfm/root/usr/share/gems/gems/rbovirt-0.0.37/lib/client/datacenter_api.rb:15:in `collect' | /opt/theforeman/tfm/root/usr/share/gems/gems/rbovirt-0.0.37/lib/client/datacenter_api.rb:15:in `datacenters' | /opt/theforeman/tfm/root/usr/share/gems/gems/fog-1.38.0/lib/fog/ovirt/requests/compute/datacenters.rb:6:in `datacenters' | /usr/share/foreman/app/models/compute_resources/foreman/model/ovirt.rb:328:in `client' | /usr/share/foreman/app/models/compute_resources/foreman/model/ovirt.rb:371:in `update_available_operating_systems' | /usr/share/foreman/app/models/compute_resources/foreman/model/ovirt.rb:328:in `client' | /usr/share/foreman/app/models/compute_resources/foreman/model/ovirt.rb:371:in `update_available_operating_systems' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activesupport-4.1.5/lib/active_support/callbacks.rb:424:in `block in make_lambda' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activesupport-4.1.5/lib/active_support/callbacks.rb:160:in `call' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activesupport-4.1.5/lib/active_support/callbacks.rb:160:in `block in halting' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activesupport-4.1.5/lib/active_support/callbacks.rb:166:in `call' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activesupport-4.1.5/lib/active_support/callbacks.rb:166:in `block in halting' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activesupport-4.1.5/lib/active_support/callbacks.rb:166:in `call' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activesupport-4.1.5/lib/active_support/callbacks.rb:166:in `block in halting' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activesupport-4.1.5/lib/active_support/callbacks.rb:86:in `call' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activesupport-4.1.5/lib/active_support/callbacks.rb:86:in `run_callbacks' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activemodel-4.1.5/lib/active_model/validations/callbacks.rb:111:in `run_validations!' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activemodel-4.1.5/lib/active_model/validations.rb:318:in `valid?' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activerecord-4.1.5/lib/active_record/validations.rb:70:in `valid?' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activerecord-4.1.5/lib/active_record/validations.rb:77:in `perform_validations' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activerecord-4.1.5/lib/active_record/validations.rb:51:in `save' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activerecord-4.1.5/lib/active_record/attribute_methods/dirty.rb:21:in `save' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activerecord-4.1.5/lib/active_record/transactions.rb:268:in `block (2 levels) in save' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activerecord-4.1.5/lib/active_record/transactions.rb:329:in `block in with_transaction_returning_status' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activerecord-4.1.5/lib/active_record/connection_adapters/abstract/database_statements.rb:201:in `block in transaction' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activerecord-4.1.5/lib/active_record/connection_adapters/abstract/database_statements.rb:209:in `within_new_transaction' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activerecord-4.1.5/lib/active_record/connection_adapters/abstract/database_statements.rb:201:in `transaction' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activerecord-4.1.5/lib/active_record/transactions.rb:208:in `transaction' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activerecord-4.1.5/lib/active_record/transactions.rb:326:in `with_transaction_returning_status' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activerecord-4.1.5/lib/active_record/transactions.rb:268:in `block in save' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activerecord-4.1.5/lib/active_record/transactions.rb:283:in `rollback_active_record_state!' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activerecord-4.1.5/lib/active_record/transactions.rb:267:in `save' | /usr/share/foreman/app/controllers/compute_resources_controller.rb:27:in `create' | /opt/rh/rh-ror41/root/usr/share/gems/gems/actionpack-4.1.5/lib/action_controller/metal/implicit_render.rb:4:in `send_action' | /opt/rh/rh-ror41/root/usr/share/gems/gems/actionpack-4.1.5/lib/abstract_controller/base.rb:189:in `process_action' | /opt/rh/rh-ror41/root/usr/share/gems/gems/actionpack-4.1.5/lib/action_controller/metal/rendering.rb:10:in `process_action' | /opt/rh/rh-ror41/root/usr/share/gems/gems/actionpack-4.1.5/lib/abstract_controller/callbacks.rb:20:in `block in process_action' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activesupport-4.1.5/lib/active_support/callbacks.rb:113:in `call' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activesupport-4.1.5/lib/active_support/callbacks.rb:113:in `call' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activesupport-4.1.5/lib/active_support/callbacks.rb:149:in `block in halting_and_conditional' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activesupport-4.1.5/lib/active_support/callbacks.rb:149:in `call' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activesupport-4.1.5/lib/active_support/callbacks.rb:149:in `block in halting_and_conditional' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activesupport-4.1.5/lib/active_support/callbacks.rb:149:in `call' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activesupport-4.1.5/lib/active_support/callbacks.rb:149:in `block in halting_and_conditional' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activesupport-4.1.5/lib/active_support/callbacks.rb:149:in `call' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activesupport-4.1.5/lib/active_support/callbacks.rb:149:in `block in halting_and_conditional' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activesupport-4.1.5/lib/active_support/callbacks.rb:299:in `call' | /opt/rh/rh-ror41/root/usr/share/gems/gems/activesupport-4.1.5/lib/active_support/callbacks.rb:299:in `block (2 levels) in halting' | /opt/theforeman/tfm/root/usr/share/gems/gems/rails-observers-0.1.2/lib/rails/observers/action_controller/caching/sweeping.rb:73:in `around' | /opt/rh/rh-ror41/root/usr/share/gems/gems/rack-1.5.2/lib/rack/urlmap.rb:50:in `call' | /usr/share/gems/gems/passenger-4.0.18/lib/phusion_passenger/rack/thread_handler_extension.rb:77:in `process_request' | /usr/share/gems/gems/passenger-4.0.18/lib/phusion_passenger/request_handler/thread_handler.rb:140:in `accept_and_process_next_request' | /usr/share/gems/gems/passenger-4.0.18/lib/phusion_passenger/request_handler/thread_handler.rb:108:in `main_loop' | /usr/share/gems/gems/passenger-4.0.18/lib/phusion_passenger/request_handler.rb:441:in `block (3 levels) in start_threads' | /opt/theforeman/tfm/root/usr/share/gems/gems/logging-1.8.2/lib/logging/diagnostic_context.rb:323:in `call' | /opt/theforeman/tfm/root/usr/share/gems/gems/logging-1.8.2/lib/logging/diagnostic_context.rb:323:in `block in create_with_logging_context' 2016-10-27 16:46:02 [app] [I] Rendered common/500.html.erb within layouts/application (1.6ms) 2016-10-27 16:46:02 [app] [I] Rendered layouts/_application_content.html.erb (0.3ms) 2016-10-27 16:46:02 [app] [I] Rendered layouts/base.html.erb (1.1ms) 2016-10-27 16:46:02 [app] [I] Completed 500 Internal Server Error in 106ms (Views: 4.1ms | ActiveRecord: 2.5ms)
I am seeing this as well. Satellite 6.2.4 RHV 4.0.2.6-0.1.el7ev
Doing https://MY_RHV_SERVER/ovirt-engine/api/v3 rather then https://MY_RHV_SERVER/ovirt-engine/api fixed the "undefined method `+' for nil:NilClass" error for me.
Using this: https://rhevm.example.com/ovirt-engine/api/v3 in conjunction with pasting in the right cert DOES allow me to list datacenters BUT when I click "test Connection" I get: 401 Unauthorized
@Steve, I am no expert, but that sounds like something is wrong with your credentials. Have you verified your RHV credentials are correct?
Guys, this is a regression in Satellite 6.2 with RHEV 4.0, the CA certificate of the RHEV 4.0+ cannot be automatically downloaded. This happens when the CA field in the Compute Resource detail is empty (Satellite automatically downloads it from RHEV). This has been changed in RHEV 4.0, therefore we need to backport a change into Satellite 6.2 to change the source URL (which is no longer valid in 4.0). This bug is scheduled for the next z-stream release, until then, you need to get the CA certificate from RHEV 4 and paste it into Satellite 6 RHEV Compute Resource manually as a whole PEM block (BEGIN CERTIFICATE / END CERTIFICATE). If the server is not self-signed, paste all certificates concatenated one after each other. I can't tell where you can find the certificate in RHEV 4.0, I assume somewhere in the Administer UI.
Lukas, The foreman bug, http://projects.theforeman.org/issues/15163, gives the following sugestion for downloading the CA for RHV 4.0, and it worked for me. /ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA
Verified in Satellite 6.3 snap 6 together with rhev 4.0.3-0.1.el7ev. When using the .../ovirt-engine/api path, I'm able to load the datacenters, I get the X509 field populated, can succesfully test the connection and create the CR.
(In reply to Ian Tewksbury from comment #13) > @Steve, > > I am no expert, but that sounds like something is wrong with your > credentials. Have you verified your RHV credentials are correct? Yes, My credentials are right. Even admin@internal gives me the same result.
Steven, make sure you have the correct server certificate in the form. Due this bug, you can't simply delete it because auto-negotiation won't work, you need to pastebin it manually from RHEV.
*** Bug 1388749 has been marked as a duplicate of this bug. ***
Please add verifications steps for this bug to help QE verify
QA steps: 1) Define RHEV 4 compute resource 2) Submit 3) List VMs
Is this for Sat 6.2 or Sat 6.3? https://bugzilla.redhat.com/show_bug.cgi?id=1426391 seems to indicate the latter but the flag is 6.2. I don't think it matters but if for both can the documentation be updated to reflect the workaround?
This is for 6.2.
********** UPDATED QA steps ********** 1) Define RHEV 4 compute resource 2) Submit 3) List VMs 1) Define RHEV 3.3 (or older) compute resource 2) Submit 3) List VMs Make sure to test twice, on 4.0 and 3.3 or older RHEV to verify regressions please.
Created attachment 1267445 [details] vms-rhev3
Created attachment 1267446 [details] vms-rhev4
Verified in 6.2.9-2 using rhev3 and rhev4, compute resources.
Thank you everyone who has worked on this. Your dedication is very much appreciated.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1191