Bug 1417734 - katello-certs-check needs to provide differentiating data for capsule-certs-generate to avoid error
Summary: katello-certs-check needs to provide differentiating data for capsule-certs-g...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Infrastructure
Version: 6.2.7
Hardware: All
OS: Linux
high
medium
Target Milestone: Unspecified
Assignee: Chris Roberts
QA Contact: Sanket Jagtap
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks: 1417399 1426416
TreeView+ depends on / blocked
 
Reported: 2017-01-30 19:37 UTC by Craig Donnelly
Modified: 2020-03-11 15:41 UTC (History)
7 users (show)

Fixed In Version: katello-installer-base-3.0.0.80-2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1426416 (view as bug list)
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 18310 0 Normal Closed katello-certs-check needs to provide differentiating data for capsule-certs-generate to avoid error 2020-09-09 15:42:22 UTC
Red Hat Bugzilla 1417399 0 high CLOSED Incorrect section/command for generating capsule certs-tar 2021-02-22 00:41:40 UTC

Internal Links: 1417399

Description Craig Donnelly 2017-01-30 19:37:31 UTC
Description of problem:
When using `katello-certs-check` the `capsule-certs-generate` command that is provided is assuming that we are only updating a capsule certificates, and not generating them for the first time.

If we indeed use this command to generate certs for a fresh capsule, we will encounter an error because the directories for that capsule do not yet exist.
This is in reference to the '--certs-update-server' argument.

This argument is only necessary to update certificates that were already created before.

If we are generating a fresh pair of certs for a fresh capsule, we want to omit this argument to create a fresh directory and certificate set for the capsule without a traceback.

Version-Release number of selected component (if applicable): 6.2.7


How reproducible: 100%


Steps to Reproduce:
1. Run katello-certs-check against cert set
2. Use command provided to generate certs for a non-existent capsule

Actual results:

# katello-certs-check -c wild_cragcap61.usersys.redhat.com.crt -k wild_cragcap61.usersys.redhat.com.key -r wild_cragcap61.usersys.redhat.com.csr -b CA-crt.pem 
<snip>
To use them inside a $CAPSULE, run this command INSTEAD:

    capsule-certs-generate --capsule-fqdn ""\
                           --certs-tar  "~/-certs.tar"\
                           --server-cert "newcapsule.crt"\
                           --server-cert-req "newcapsule.csr"\
                           --server-key "newcapsule.key"\
                           --server-ca-cert "CA-crt.pem"\
                           --certs-update-server
</snip>

When running the provided command:

# capsule-certs-generate --capsule-fqdn "newcapsule.example.com"                           --certs-tar  "~/newcapsule-certs.tar" --server-cert "newcapsule.crt" --server-cert-req "newcapsule.csr" --server-key "newcapsule.key" --server-ca-cert "CA-crt.pem" --certs-update-server
Marking certificate /root/ssl-build/newcapsule.example.com/newcapsule.example.com-apache for update
/usr/share/ruby/fileutils.rb:1145:in `initialize': No such file or directory - /root/ssl-build/newcapsule.example.com/newcapsule.example.com-apache.update (Errno::ENOENT)
	from /usr/share/ruby/fileutils.rb:1145:in `open'
	from /usr/share/ruby/fileutils.rb:1145:in `rescue in block in touch'
	from /usr/share/ruby/fileutils.rb:1141:in `block in touch'
	from /usr/share/ruby/fileutils.rb:1139:in `each'
	from /usr/share/ruby/fileutils.rb:1139:in `touch'
	from /usr/share/katello-installer-base/hooks/pre/20-certs_update.rb:18:in `mark_for_update'
	from /usr/share/katello-installer-base/hooks/pre/20-certs_update.rb:38:in `block (4 levels) in load'
	from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hooking.rb:34:in `instance_eval'
	from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hooking.rb:34:in `block (4 levels) in load'
	from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hook_context.rb:13:in `instance_exec'
	from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hook_context.rb:13:in `execute'
	from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hooking.rb:51:in `block in execute'
	from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hooking.rb:49:in `each'
	from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hooking.rb:49:in `execute'
	from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/kafo_configure.rb:375:in `run_installation'
	from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/kafo_configure.rb:141:in `execute'
	from /usr/share/gems/gems/clamp-0.6.2/lib/clamp/command.rb:67:in `run'
	from /usr/share/gems/gems/clamp-0.6.2/lib/clamp/command.rb:125:in `run'
	from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/kafo_configure.rb:148:in `run'
	from /usr/sbin/capsule-certs-generate:50:in `<main>'


Expected results:

katello-certs-check should give us two options, for the different scenarios.
One for new capsules, and one for updating certs-tars for existing capsules:

# katello-certs-check -c wild_cragcap61.usersys.redhat.com.crt -k wild_cragcap61.usersys.redhat.com.key -r wild_cragcap61.usersys.redhat.com.csr -b CA-crt.pem 
<snip>
To use them inside a NEW $CAPSULE, run this command:

    capsule-certs-generate --capsule-fqdn ""\
                           --certs-tar  "~/-certs.tar"\
                           --server-cert "newcapsule.crt"\
                           --server-cert-req "newcapsule.csr"\
                           --server-key "newcapsule.key"\
                           --server-ca-cert "CA-crt.pem"

To use them inside an EXISTING $CAPSULE, run this command INSTEAD:

    capsule-certs-generate --capsule-fqdn ""\
                           --certs-tar  "~/-certs.tar"\
                           --server-cert "newcapsule.crt"\
                           --server-cert-req "newcapsule.csr"\
                           --server-key "newcapsule.key"\
                           --server-ca-cert "CA-crt.pem"
</snip>


Additional info:
This came about as a documentation bug that is actually caused by this oversight.
This is being tracked in RHBZ https://bugzilla.redhat.com/show_bug.cgi?id=1417399.

Comment 1 Craig Donnelly 2017-01-30 19:41:23 UTC
I made a typo above for how this should look, you'll have to ignore some other typos above for the cert names. Point is driven either way.

Here is the revision:

Expected results:

katello-certs-check should give us two options, for the different scenarios.
One for new capsules, and one for updating certs-tars for existing capsules:

# katello-certs-check -c newcapsule.crt -k newcapsule.key -r newcapsule.csr -b CA-crt.pem 
<snip>
To use them inside a NEW $CAPSULE, run this command:

    capsule-certs-generate --capsule-fqdn ""\
                           --certs-tar  "~/-certs.tar"\
                           --server-cert "newcapsule.crt"\
                           --server-cert-req "newcapsule.csr"\
                           --server-key "newcapsule.key"\
                           --server-ca-cert "CA-crt.pem"

To use them inside an EXISTING $CAPSULE, run this command INSTEAD:

    capsule-certs-generate --capsule-fqdn ""\
                           --certs-tar  "~/-certs.tar"\
                           --server-cert "newcapsule.crt"\
                           --server-cert-req "newcapsule.csr"\
                           --server-key "newcapsule.key"\
                           --server-ca-cert "CA-crt.pem"\
                           --certs-update-server
</snip>

Comment 3 Chris Roberts 2017-01-30 22:02:56 UTC
Created Redmine issue:

http://projects.theforeman.org/issues/18310

Pull request here:

https://github.com/Katello/katello-installer/pull/475

Comment 4 pm-sat@redhat.com 2017-02-01 19:18:40 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/18310 has been resolved.

Comment 5 pm-sat@redhat.com 2017-02-23 21:11:31 UTC
Please add verifications steps for this bug to help QE verify

Comment 6 Chris Roberts 2017-03-01 21:23:52 UTC
Steps to Reproduce:
1. Run katello-certs-check against cert set
2. Use command provided to generate certs for a non-existent capsule

Comment 7 Sanket Jagtap 2017-03-30 12:04:56 UTC
Build : Satellite 6.2.9 snap 2

Version: katello-installer-base-3.0.0.79-1.el7sat.noarch

katello-certs-check -c sjagtap.abc.com.crt -k sjagtap.abc.com.key -r sjagtap.abc.com.crt.req -b cacert.crt
Validating the certificate subject= /C=US/ST=State or Providence/O=My Company/CN=sjagtap.abc.com
Check private key matches the certificate: [OK]
Check ca bundle verifies the cert file: [OK]

Validation succeeded.

To install the Satellite main server with the custom certificates, run:

    satellite-installer --scenario satellite\
                        --certs-server-cert "sjagtap.abc.com.crt"\
                        --certs-server-cert-req "sjagtap.abc.com.crt.req"\
                        --certs-server-key "sjagtap.abc.com.key"\
                        --certs-server-ca-cert "cacert.crt"

To update the certificates on a currently running Satellite installation, run:

    satellite-installer --scenario satellite\
                        --certs-server-cert "sjagtap.abc.com.crt"\
                        --certs-server-cert-req "sjagtap.abc.com.crt.req"\
                        --certs-server-key "sjagtap.abc.com.key"\
                        --certs-server-ca-cert "cacert.crt"\
                        --certs-update-server --certs-update-server-ca

To use them inside a NEW $CAPSULE, run this command:

    capsule-certs-generate --capsule-fqdn ""\
                           --certs-tar  "~/-certs.tar"\
                           --server-cert "sjagtap.abc.com.crt"\
                           --server-cert-req "sjagtap.abc.com.crt.req"\
                           --server-key "sjagtap.abc.com.key"\
                           --server-ca-cert "cacert.crt"\


To use them inside an EXISTING $CAPSULE, run this command INSTEAD:
    capsule-certs-generate --capsule--fqdn ""\
                           --certs-tar  "~/-certs.tar"\
                           --server-cert "/root/sjagtap.abc.com/sjagtap.abc.com.crt"\
                           --server-cert-req "/root/sjagtap.abc.com/sjagtap.abc.com.crt.req"\
                           --server-key "/root/sjagtap.abc.com/sjagtap.abc.com.key"\
                           --server-ca-cert "/root/sjagtap.abc.com/cacert.crt"\


I see the added option for satellite-installer -certs-update-server for updating the certs , but the option is still missing for EXISTING $CAPSULE as per comment #1

Comment 9 Sanket Jagtap 2017-04-13 06:58:02 UTC
Build: Satellite 6.2.9 snap 3

katello-certs-check -c sjagtap.abc.com.crt -k sjagtap.abc.com.key -r sjagtap.abc.com.crt.req -b cacert.crt
Validating the certificate subject= /C=US/ST=State or Providence/O=My Company/CN=sjagtap.abc.com
Check private key matches the certificate: [OK]
Check ca bundle verifies the cert file: [OK]

Validation succeeded.

To install the Satellite main server with the custom certificates, run:

    satellite-installer --scenario satellite\
                        --certs-server-cert "sjagtap.abc.com.crt"\
                        --certs-server-cert-req "sjagtap.abc.com.crt.req"\
                        --certs-server-key "sjagtap.abc.com.key"\
                        --certs-server-ca-cert "cacert.crt"

To update the certificates on a currently running Satellite installation, run:

    satellite-installer --scenario satellite\
                        --certs-server-cert "sjagtap.abc.com.crt"\
                        --certs-server-cert-req "sjagtap.abc.com.crt.req"\
                        --certs-server-key "sjagtap.abc.com.key"\
                        --certs-server-ca-cert "cacert.crt"\
                        --certs-update-server --certs-update-server-ca

To use them inside a NEW $CAPSULE, run this command:

    capsule-certs-generate --capsule-fqdn ""\
                           --certs-tar  "~/-certs.tar"\
                           --server-cert "sjagtap.abc.com.crt"\
                           --server-cert-req "sjagtap.abc.com.crt.req"\
                           --server-key "sjagtap.abc.com.key"\
                           --server-ca-cert "cacert.crt"\


To use them inside an EXISTING $CAPSULE, run this command INSTEAD:
    capsule-certs-generate --capsule--fqdn ""\
                           --certs-tar  "~/-certs.tar"\
                           --server-cert "/root/sjagtap.abc.com/sjagtap.abc.com.crt"\
                           --server-cert-req "/root/sjagtap.abc.com/sjagtap.abc.com.crt.req"\
                           --server-key "/root/sjagtap.abc.com/sjagtap.abc.com.key"\
                           --server-ca-cert "/root/sjagtap.abc.com/cacert.crt"\
                           --certs-update-server

Comment 10 Bryan Kearney 2017-05-01 14:29:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1191

Comment 11 Bryan Kearney 2017-05-01 14:29:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1191


Note You need to log in before you can comment on or make changes to this bug.