Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1406858

Summary: Engine setup fails on F25 - m2crypto fails to load the ca.pem
Product: [oVirt] ovirt-engine Reporter: Roy Golan <rgolan>
Component: Setup.EngineAssignee: Yedidyah Bar David <didi>
Status: CLOSED CURRENTRELEASE QA Contact: David Necpal <dnecpal>
Severity: high Docs Contact:
Priority: unspecified    
Version: futureCC: ahino, bugs, derez, didi, lsvaty, rgolan
Target Milestone: ovirt-4.2.0Flags: rule-engine: ovirt-4.2+
lsvaty: testing_ack+
Target Release: 4.2.0   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: engine-setup in previous versions of oVirt created a ca cert with the command 'openssl ca', which by default creates the cert with text describing it prepended to the cert itself. Consequence: A newer version of m2crypto which is part of Fedora 25 fails when trying to parse such certs. This caused engine-setup to fail. Fix: The script creating the ca was changed to pass the option '-notext' so that new setups will have ca certs without text, and the code trying to read an existing cert during upgrade was changed to fallback to running 'openssl' instead of m2crypto, if m2crypto failed. Result: New setups should be compatible with recent m2crypto, and upgrades from previous setups should work. Please note that engine-setup does not change the existing ca cert in any way for the current bug. So if you have some other tool that reads the ca cert using newer m2crypto, it will still be affected. Such a tool should probably not read the ca cert file directly but use the engine api to get the ca cert.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-20 11:20:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
engine-setup.log none

Description Roy Golan 2016-12-21 16:34:29 UTC 
Created attachment 1234457 [details]
engine-setup.log

Description of problem:
engine-setup fails to load the ca.pem and fails with an error:

2016-12-20 16:02:18 DEBUG otopi.context context._executeMethod:128 Stage closeup METHOD otopi.plugins.ovirt_**FILTERED**_setup.ovirt_**FILTERED**.pki.ca.Plugin._closeup
2016-12-20 16:02:18 DEBUG otopi.context context._executeMethod:142 method exception
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/otopi/context.py", line 132, in _executeMethod
    method['method']()
  File "/home/rgolan/deploy/vacuum/share/ovirt-**FILTERED**/setup/bin/../plugins/ovirt-**FILTERED**-setup/ovirt-**FILTERED**/pki/ca.py", line 758, in _closeup
    format=X509.FORMAT_PEM,
  File "/usr/lib64/python2.7/site-packages/M2Crypto/X509.py", line 786, in load_cert
    return load_cert_bio(bio)
  File "/usr/lib64/python2.7/site-packages/M2Crypto/X509.py", line 817, in load_cert_bio
    raise X509Error(Err.get_error())
X509Error: 140134876739328:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: CERTIFICATE

2016-12-20 16:02:18 ERROR otopi.context context._executeMethod:151 Failed to execute stage 'Closing up': 140134876739328:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: CERTIFICATE


Version-Release number of selected component (if applicable):
- Fedora 25
- ovirt-engine 4.1, developer setup
- m2crypto 0.25.1

How reproducible:
100%

Steps to Reproduce:
1. Run engine-setup
2. default answers...

Actual results:
Installation fails, also subsequent execution of engine-setup fails

Expected results:
working setup

Additional info:
- I downgraded m2crypto to 0.24 and the issue went away
- omachace says the ca.pem is in text form
Comment 1 Yedidyah Bar David 2017-01-04 13:13:20 UTC 
> Additional info:
> - I downgraded m2crypto to 0.24 and the issue went away
> - omachace says the ca.pem is in text form

Can you please check if the linked patch works?

I'd still say it's a bug in m2crypto if it fails.

Also, this is for new setups only. We'll have to handle upgrades differently.
Comment 2 Roy Golan 2017-02-15 09:51:53 UTC 
(In reply to Yedidyah Bar David from comment #1)
> > Additional info:
> > - I downgraded m2crypto to 0.24 and the issue went away
> > - omachace says the ca.pem is in text form
> 
> Can you please check if the linked patch works?

Still fails.

- upgrade m2cryptpo
  sudo pip install m2crypto --upgrade
- applied the patch
- bin/engine-setup
  fails

Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/otopi/context.py", line 132, in _executeMethod
    method['method']()
  File "/home/rgolan/deploy/akka/share/ovirt-**FILTERED**/setup/bin/../plugins/ovirt-**FILTERED**-setup/ovirt-**FILTERED**/pki/ca.py", line 456, in _customization_upgrade
    o**FILTERED**cons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT
  File "/usr/lib64/python2.7/site-packages/M2Crypto/X509.py", line 786, in load_cert
    return load_cert_bio(bio)
  File "/usr/lib64/python2.7/site-packages/M2Crypto/X509.py", line 817, in load_cert_bio
    raise X509Error(Err.get_error())
X509Error: 140229305333504:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: CERTIFICATE

2017-02-15 11:50:39 ERROR otopi.context context._executeMethod:151 Failed to execute stage 'Environment customization': 140229305333504:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: CERTIFICATE
Comment 3 Yedidyah Bar David 2017-02-27 10:58:13 UTC 
(In reply to Roy Golan from comment #2)
> (In reply to Yedidyah Bar David from comment #1)
> > > Additional info:
> > > - I downgraded m2crypto to 0.24 and the issue went away
> > > - omachace says the ca.pem is in text form
> > 
> > Can you please check if the linked patch works?
> 
> Still fails.

Now happened to me too.

The linked patch is only for new CA, so won't fix upgrade. Will do something later for upgrades. For now, can you try the following workaround:

cd /etc/pki/ovirt-engine
openssl x509 -in ca.pem -out ca.pem
Comment 4 Roy Golan 2017-02-27 12:06:50 UTC 
> The linked patch is only for new CA, so won't fix upgrade. Will do something
> later for upgrades. For now, can you try the following workaround:
> 
> cd /etc/pki/ovirt-engine
> openssl x509 -in ca.pem -out ca.pem

This fixed it.
Comment 5 David Necpal 2017-09-04 18:26:28 UTC 
Verified on version:
fedora-release-25-1.noarch
ovirt-engine-4.2.0-0.0.master.20170903205117.gitb17261a.fc25.noarch
m2crypto-0.25.1-1.fc25.x86_64
Comment 6 Sandro Bonazzola 2017-12-20 11:20:44 UTC 
This bugzilla is included in oVirt 4.2.0 release, published on Dec 20th 2017.

Since the problem described in this bug report should be
resolved in oVirt 4.2.0 release, published on Dec 20th 2017, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.