Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1394312

Summary: Docker certs are signed with wrong hosts.
Product: Red Hat Update Infrastructure for Cloud Providers Reporter: Irina Gulina <igulina>
Component: RHUAAssignee: Patrick Creech <pcreech>
Status: CLOSED ERRATA QA Contact: Irina Gulina <igulina>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.0.0CC: pcreech
Target Milestone: ---   
Target Release: 3.0.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-01 22:13:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Irina Gulina 2016-11-11 16:51:36 UTC 
Description of problem:
Docker certs are signed with wrong hosts.

Version-Release number of selected component (if applicable):
iso 20161110

How reproducible:
always

Steps to Reproduce:
1. attach RH docker repo to RHUI (RH content repo needed too, see BZ 1356695 comment #6)
2. add CDS, HAP, sync repos
3. generate an entitlement cert, create a custom cli rpm
4. install the custom cli rpm on CLI
5. configure docker, point it to CDS
6. docker pull $docker_repo

Actual results:
[root@cli01 ~]# vi /etc/sysconfig/docker
[root@cli01 ~]# systemctl restart docker
[root@cli01 ~]# docker pull rhel_cert_docker
Using default tag: latest
Trying to pull repository cds.example.com:5000/rhel_cert_docker ...
unable to ping registry endpoint https://cds.example.com:5000/v0/
v2 ping attempt failed with error: Get https://cds.example.com:5000/v2/: x509: certificate is valid for cds02.example.com, not cds.example.com
 v1 ping attempt failed with error: Get https://cds.example.com:5000/v1/_ping: x509: certificate is valid for cds01.example.com, not cds.example.com
Trying to pull repository docker.io/library/rhel_cert_docker ...
Pulling repository docker.io/library/rhel_cert_docker
Error: image library/rhel_cert_docker not found
Error: image library/rhel_cert_docker not found

Expected results:
successful pulling of docker repo

Additional info:
adding INSECURE_REGISTRY='--insecure-registry cds.example.com:5000' to /etc/sysconfig/docker allows to pull repo content. 

docker pull rhel_cert_docker
Using default tag: latest
Trying to pull repository cds.example.com:5000/rhel_cert_docker ... 
latest: Pulling from cds.example.com:5000/rhel_cert_docker
30cf2e26a24f: Pull complete 
99dd41655d8a: Pull complete 
27dc5eaef277: Pull complete 
Digest: sha256:83d4e7a94b123449557323292c688141b858f479cf351c7d630c7018a0dd9dad
Status: Downloaded newer image for cds.example.com:5000/rhel_cert_docker:latest
Comment 3 Irina Gulina 2016-11-18 13:52:53 UTC 
3. generate an entitlement cert, create a custom cli rpm
4. install the custom cli rpm on CLI

in BZ description are wrong. Those are not needed to fetch Docker content as implemented on 20161115 iso.
Comment 4 Irina Gulina 2016-11-18 17:32:24 UTC 
Please, ignore the previous comment. Points 3 and 4 are not needed if INSECURE_REGISTRY='--insecure-registry cds.example.com:5000' is added into /etc/sysconfig/docker. 

Verified with 2016115 iso:  

>> rpm -ql my_rpm
/etc/docker/certs.d/cds.example.com:5000/ca.crt
/etc/pki/rhui/ca.crt
/etc/pki/rhui/key.pem
/etc/pki/rhui/product/content.crt
/etc/yum.repos.d/rh-cloud.repo
>> docker pull rhcertification_redhat-certification
Using default tag: latest
Trying to pull repository cds.example.com:5000/rhcertification_redhat-certification ... 
latest: Pulling from cds.example.com:5000/rhcertification_redhat-certification
30cf2e26a24f: Pull complete 
99dd41655d8a: Pull complete 
27dc5eaef277: Pull complete 
Digest: sha256:83d4e7a94b123449557323292c688141b858f479cf351c7d630c7018a0dd9dad
Status: Downloaded newer image for cds.example.com:5000/rhcertification_redhat-certification:latest
Comment 5 errata-xmlrpc 2017-03-01 22:13:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0367