Created attachment 1203719 [details] foreman-debug output Description of problem: # subscription-manager register --org="OSCP_PoC" --activationkey 'rhel-7-server-ak' Task e8537148-cfe3-49d4-b8db-1211b0f3f097: RestClient::InternalServerError: 500 Internal Server Error Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
I came across this while writing this: https://github.com/atgreen/idm-satellite-openshift-demo
Can you provide the output of ls -lZ /etc/pki/pulp ls -lZ /root/.rnd and also check for any selinux denials? ERROR: Unhandled Exception ERROR: (2070-79232) error signing cert request: Signature ok ERROR: (2070-79232) subject=/CN=f71851f0-712d-4770-a3f1-b794409d5dfa/UID=57e3c6c8b281af081699e3f9 ERROR: (2070-79232) Error opening CA Certificate /etc/pki/pulp/ca.crt ERROR: (2070-79232) 140440626141088:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/pulp/ca.crt','r') ERROR: (2070-79232) 140440626141088:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: ERROR: (2070-79232) unable to load certificate ERROR: (2070-79232) unable to write 'random state' ERROR: (2070-79232) ERROR: (2070-79232) Traceback (most recent call last): ERROR: (2070-79232) File "/usr/lib/python2.7/site-packages/django/core/handlers/base.py", line 112, in get_response ERROR: (2070-79232) response = wrapped_callback(request, *callback_args, **callback_kwargs) ERROR: (2070-79232) File "/usr/lib/python2.7/site-packages/django/views/generic/base.py", line 69, in view ERROR: (2070-79232) return self.dispatch(request, *args, **kwargs) ERROR: (2070-79232) File "/usr/lib/python2.7/site-packages/django/views/generic/base.py", line 87, in dispatch ERROR: (2070-79232) return handler(request, *args, **kwargs) ERROR: (2070-79232) File "/usr/lib/python2.7/site-packages/pulp/server/webservices/views/decorators.py", line 241, in _auth_decorator ERROR: (2070-79232) return _verify_auth(self, operation, super_user_only, method, *args, **kwargs) ERROR: (2070-79232) File "/usr/lib/python2.7/site-packages/pulp/server/webservices/views/decorators.py", line 195, in _verify_auth ERROR: (2070-79232) value = method(self, *args, **kwargs) ERROR: (2070-79232) File "/usr/lib/python2.7/site-packages/pulp/server/webservices/views/util.py", line 130, in wrapper ERROR: (2070-79232) return func(*args, **kwargs) ERROR: (2070-79232) File "/usr/lib/python2.7/site-packages/pulp/server/webservices/views/consumers.py", line 201, in post ERROR: (2070-79232) rsa_pub=rsa_pub) ERROR: (2070-79232) File "/usr/lib/python2.7/site-packages/pulp/server/managers/consumer/cud.py", line 84, in register ERROR: (2070-79232) key, certificate = cert_gen_manager.make_cert(consumer_id, expiration_date, uid=str(_id)) ERROR: (2070-79232) File "/usr/lib/python2.7/site-packages/pulp/server/managers/auth/cert/cert_generator.py", line 85, in make_cert ERROR: (2070-79232) raise Exception("error signing cert request: %%s" %% output) ERROR: (2070-79232) Exception: error signing cert request: Signature ok ERROR: (2070-79232) subject=/CN=f71851f0-712d-4770-a3f1-b794409d5dfa/UID=57e3c6c8b281af081699e3f9 ERROR: (2070-79232) Error opening CA Certificate /etc/pki/pulp/ca.crt ERROR: (2070-79232) 140440626141088:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/pulp/ca.crt','r') ERROR: (2070-79232) 140440626141088:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: ERROR: (2070-79232) unable to load certificate ERROR: (2070-79232) unable to write 'random state'
(In reply to Chris Duryee from comment #2) > Can you provide the output of > > ls -lZ /etc/pki/pulp > ls -lZ /root/.rnd [root@sat6 ~]# ls -lZ /etc/pki/pulp/ drwxr-xr-x. apache apache system_u:object_r:pulp_cert_t:s0 content -rw-r-----. root apache unconfined_u:object_r:pulp_cert_t:s0 rsa.key -rw-r--r--. root apache unconfined_u:object_r:pulp_cert_t:s0 rsa_pub.key [root@sat6 ~]# ls -lZ /root/.rnd -rw-------. root root unconfined_u:object_r:admin_home_t:s0 /root/.rnd > and also check for any selinux denials? I'm running in Permissive mode. That being said: [root@sat6 ~]# ausearch -m avc ---- time->Mon Sep 19 23:07:58 2016 type=SYSCALL msg=audit(1474340878.566:140): arch=c000003e syscall=21 success=yes exit=0 a0=7fa82d7e3070 a1=4 a2=7fa82d7e307e a3=400 items=0 ppid=1 pid=14200 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null) type=AVC msg=audit(1474340878.566:140): avc: denied { read } for pid=14200 comm="celery" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Mon Sep 19 23:08:02 2016 type=SYSCALL msg=audit(1474340882.278:151): arch=c000003e syscall=21 success=yes exit=0 a0=7ffd12135b90 a1=4 a2=7ffd12135b9e a3=400 items=0 ppid=1 pid=14228 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null) type=AVC msg=audit(1474340882.278:151): avc: denied { read } for pid=14228 comm="celery" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Mon Sep 19 23:17:59 2016 type=SYSCALL msg=audit(1474341479.227:224): arch=c000003e syscall=21 success=yes exit=0 a0=7ffe5dbdade0 a1=4 a2=7ffe5dbdadee a3=400 items=0 ppid=14294 pid=14540 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null) type=AVC msg=audit(1474341479.227:224): avc: denied { read } for pid=14540 comm="celery" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Mon Sep 19 23:45:16 2016 type=SYSCALL msg=audit(1474343116.471:246): arch=c000003e syscall=21 success=yes exit=0 a0=7ffd121318b0 a1=4 a2=7ffd121318be a3=400 items=0 ppid=14228 pid=14538 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null) type=AVC msg=audit(1474343116.471:246): avc: denied { read } for pid=14538 comm="celery" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Wed Sep 21 06:56:50 2016 type=SYSCALL msg=audit(1474455410.511:57): arch=c000003e syscall=21 success=yes exit=0 a0=7f2367f2c070 a1=4 a2=7f2367f2c07e a3=400 items=0 ppid=1 pid=2278 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null) type=AVC msg=audit(1474455410.511:57): avc: denied { read } for pid=2278 comm="celery" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Wed Sep 21 07:07:02 2016 type=SYSCALL msg=audit(1474456022.923:119): arch=c000003e syscall=21 success=yes exit=0 a0=7fffd6ed10e0 a1=4 a2=7fffd6ed10ee a3=400 items=0 ppid=2040 pid=2427 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null) type=AVC msg=audit(1474456022.923:119): avc: denied { read } for pid=2427 comm="celery" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
I confirmed on another 6.2 machine that ca.crt and ca.key should be in the /etc/pki/pulp dir. I'm not sure why they are missing on your machine. Can you run the following? rpm -q pulp-server rpm -V pulp-server
I'm closing this as a dupe of 1339904. IMO, the satellite installer should check for this seemingly common error.
RFE: if a system has no hostname, the installer should fail early. Otherwise, a script in the pulp-server rpm will fail to generate ca.crt and ca.key, causing registrations to fail. See 1339904 and https://access.redhat.com/solutions/2355891 for additional detail.
Chris, wouldnt this catch that case: https://github.com/theforeman/foreman-installer/blob/develop/checks/hostname.rb
re #7, pulp's CA cert generation can happen before the installer runs, depending on if you yum install 'satellite' or just 'satellite-installer'. If you install via the former, it will install pulp-server before the installer runs, which will generate a CA cert as part of %post. The following will repro on el6 for sat 6.2: * "hostname foo.bar.baz", ensure "hostname -f" returns "Unknown host" * yum install satellite (not satellite-installer) * satellite-installer --scenario satellite * fix hostname, re-run satellite-installer At this point, the install will show success, but any system registrations via subscription-manager will result in a 500 error. Ideally, satellite-installer would check that /etc/pki/pulp/ca.crt and /etc/pki/pulp/ca.key exist, and would re-run pulp-gen-ca-certificate if not.
Created redmine issue http://projects.theforeman.org/issues/16946 from this bug
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:0336