Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1417734 - katello-certs-check needs to provide differentiating data for capsule-certs-generate to avoid error
Summary: katello-certs-check needs to provide differentiating data for capsule-certs-g...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Infrastructure
Version: 6.2.7
Hardware: All
OS: Linux
high
medium
Target Milestone: Unspecified
Assignee: Chris Roberts
QA Contact: Sanket Jagtap
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks: 1417399 1426416
TreeView+ depends on / blocked
 
Reported: 2017-01-30 19:37 UTC by Craig Donnelly
Modified: 2020-03-11 15:41 UTC (History)
7 users (show)

Fixed In Version: katello-installer-base-3.0.0.80-2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1426416 (view as bug list)
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 18310 0 Normal Closed katello-certs-check needs to provide differentiating data for capsule-certs-generate to avoid error 2020-09-09 15:42:22 UTC
Red Hat Bugzilla 1417399 0 high CLOSED Incorrect section/command for generating capsule certs-tar 2021-02-22 00:41:40 UTC

Internal Links: 1417399

Description Craig Donnelly 2017-01-30 19:37:31 UTC 
Description of problem:
When using `katello-certs-check` the `capsule-certs-generate` command that is provided is assuming that we are only updating a capsule certificates, and not generating them for the first time.

If we indeed use this command to generate certs for a fresh capsule, we will encounter an error because the directories for that capsule do not yet exist.
This is in reference to the '--certs-update-server' argument.

This argument is only necessary to update certificates that were already created before.

If we are generating a fresh pair of certs for a fresh capsule, we want to omit this argument to create a fresh directory and certificate set for the capsule without a traceback.

Version-Release number of selected component (if applicable): 6.2.7


How reproducible: 100%


Steps to Reproduce:
1. Run katello-certs-check against cert set
2. Use command provided to generate certs for a non-existent capsule

Actual results:

# katello-certs-check -c wild_cragcap61.usersys.redhat.com.crt -k wild_cragcap61.usersys.redhat.com.key -r wild_cragcap61.usersys.redhat.com.csr -b CA-crt.pem 
<snip>
To use them inside a $CAPSULE, run this command INSTEAD:

    capsule-certs-generate --capsule-fqdn ""\
                           --certs-tar  "~/-certs.tar"\
                           --server-cert "newcapsule.crt"\
                           --server-cert-req "newcapsule.csr"\
                           --server-key "newcapsule.key"\
                           --server-ca-cert "CA-crt.pem"\
                           --certs-update-server
</snip>

When running the provided command:

# capsule-certs-generate --capsule-fqdn "newcapsule.example.com"                           --certs-tar  "~/newcapsule-certs.tar" --server-cert "newcapsule.crt" --server-cert-req "newcapsule.csr" --server-key "newcapsule.key" --server-ca-cert "CA-crt.pem" --certs-update-server
Marking certificate /root/ssl-build/newcapsule.example.com/newcapsule.example.com-apache for update
/usr/share/ruby/fileutils.rb:1145:in `initialize': No such file or directory - /root/ssl-build/newcapsule.example.com/newcapsule.example.com-apache.update (Errno::ENOENT)
	from /usr/share/ruby/fileutils.rb:1145:in `open'
	from /usr/share/ruby/fileutils.rb:1145:in `rescue in block in touch'
	from /usr/share/ruby/fileutils.rb:1141:in `block in touch'
	from /usr/share/ruby/fileutils.rb:1139:in `each'
	from /usr/share/ruby/fileutils.rb:1139:in `touch'
	from /usr/share/katello-installer-base/hooks/pre/20-certs_update.rb:18:in `mark_for_update'
	from /usr/share/katello-installer-base/hooks/pre/20-certs_update.rb:38:in `block (4 levels) in load'
	from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hooking.rb:34:in `instance_eval'
	from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hooking.rb:34:in `block (4 levels) in load'
	from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hook_context.rb:13:in `instance_exec'
	from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hook_context.rb:13:in `execute'
	from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hooking.rb:51:in `block in execute'
	from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hooking.rb:49:in `each'
	from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hooking.rb:49:in `execute'
	from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/kafo_configure.rb:375:in `run_installation'
	from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/kafo_configure.rb:141:in `execute'
	from /usr/share/gems/gems/clamp-0.6.2/lib/clamp/command.rb:67:in `run'
	from /usr/share/gems/gems/clamp-0.6.2/lib/clamp/command.rb:125:in `run'
	from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/kafo_configure.rb:148:in `run'
	from /usr/sbin/capsule-certs-generate:50:in `<main>'


Expected results:

katello-certs-check should give us two options, for the different scenarios.
One for new capsules, and one for updating certs-tars for existing capsules:

# katello-certs-check -c wild_cragcap61.usersys.redhat.com.crt -k wild_cragcap61.usersys.redhat.com.key -r wild_cragcap61.usersys.redhat.com.csr -b CA-crt.pem 
<snip>
To use them inside a NEW $CAPSULE, run this command:

    capsule-certs-generate --capsule-fqdn ""\
                           --certs-tar  "~/-certs.tar"\
                           --server-cert "newcapsule.crt"\
                           --server-cert-req "newcapsule.csr"\
                           --server-key "newcapsule.key"\
                           --server-ca-cert "CA-crt.pem"

To use them inside an EXISTING $CAPSULE, run this command INSTEAD:

    capsule-certs-generate --capsule-fqdn ""\
                           --certs-tar  "~/-certs.tar"\
                           --server-cert "newcapsule.crt"\
                           --server-cert-req "newcapsule.csr"\
                           --server-key "newcapsule.key"\
                           --server-ca-cert "CA-crt.pem"
</snip>


Additional info:
This came about as a documentation bug that is actually caused by this oversight.
This is being tracked in RHBZ https://bugzilla.redhat.com/show_bug.cgi?id=1417399.
Comment 1 Craig Donnelly 2017-01-30 19:41:23 UTC 
I made a typo above for how this should look, you'll have to ignore some other typos above for the cert names. Point is driven either way.

Here is the revision:

Expected results:

katello-certs-check should give us two options, for the different scenarios.
One for new capsules, and one for updating certs-tars for existing capsules:

# katello-certs-check -c newcapsule.crt -k newcapsule.key -r newcapsule.csr -b CA-crt.pem 
<snip>
To use them inside a NEW $CAPSULE, run this command:

    capsule-certs-generate --capsule-fqdn ""\
                           --certs-tar  "~/-certs.tar"\
                           --server-cert "newcapsule.crt"\
                           --server-cert-req "newcapsule.csr"\
                           --server-key "newcapsule.key"\
                           --server-ca-cert "CA-crt.pem"

To use them inside an EXISTING $CAPSULE, run this command INSTEAD:

    capsule-certs-generate --capsule-fqdn ""\
                           --certs-tar  "~/-certs.tar"\
                           --server-cert "newcapsule.crt"\
                           --server-cert-req "newcapsule.csr"\
                           --server-key "newcapsule.key"\
                           --server-ca-cert "CA-crt.pem"\
                           --certs-update-server
</snip>
Comment 3 Chris Roberts 2017-01-30 22:02:56 UTC 
Created Redmine issue:

http://projects.theforeman.org/issues/18310

Pull request here:

https://github.com/Katello/katello-installer/pull/475
Comment 4 Satellite Program 2017-02-01 19:18:40 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/18310 has been resolved.
Comment 5 Satellite Program 2017-02-23 21:11:31 UTC 
Please add verifications steps for this bug to help QE verify
Comment 6 Chris Roberts 2017-03-01 21:23:52 UTC 
Steps to Reproduce:
1. Run katello-certs-check against cert set
2. Use command provided to generate certs for a non-existent capsule
Comment 7 Sanket Jagtap 2017-03-30 12:04:56 UTC 
Build : Satellite 6.2.9 snap 2

Version: katello-installer-base-3.0.0.79-1.el7sat.noarch

katello-certs-check -c sjagtap.abc.com.crt -k sjagtap.abc.com.key -r sjagtap.abc.com.crt.req -b cacert.crt
Validating the certificate subject= /C=US/ST=State or Providence/O=My Company/CN=sjagtap.abc.com
Check private key matches the certificate: [OK]
Check ca bundle verifies the cert file: [OK]

Validation succeeded.

To install the Satellite main server with the custom certificates, run:

    satellite-installer --scenario satellite\
                        --certs-server-cert "sjagtap.abc.com.crt"\
                        --certs-server-cert-req "sjagtap.abc.com.crt.req"\
                        --certs-server-key "sjagtap.abc.com.key"\
                        --certs-server-ca-cert "cacert.crt"

To update the certificates on a currently running Satellite installation, run:

    satellite-installer --scenario satellite\
                        --certs-server-cert "sjagtap.abc.com.crt"\
                        --certs-server-cert-req "sjagtap.abc.com.crt.req"\
                        --certs-server-key "sjagtap.abc.com.key"\
                        --certs-server-ca-cert "cacert.crt"\
                        --certs-update-server --certs-update-server-ca

To use them inside a NEW $CAPSULE, run this command:

    capsule-certs-generate --capsule-fqdn ""\
                           --certs-tar  "~/-certs.tar"\
                           --server-cert "sjagtap.abc.com.crt"\
                           --server-cert-req "sjagtap.abc.com.crt.req"\
                           --server-key "sjagtap.abc.com.key"\
                           --server-ca-cert "cacert.crt"\


To use them inside an EXISTING $CAPSULE, run this command INSTEAD:
    capsule-certs-generate --capsule--fqdn ""\
                           --certs-tar  "~/-certs.tar"\
                           --server-cert "/root/sjagtap.abc.com/sjagtap.abc.com.crt"\
                           --server-cert-req "/root/sjagtap.abc.com/sjagtap.abc.com.crt.req"\
                           --server-key "/root/sjagtap.abc.com/sjagtap.abc.com.key"\
                           --server-ca-cert "/root/sjagtap.abc.com/cacert.crt"\


I see the added option for satellite-installer -certs-update-server for updating the certs , but the option is still missing for EXISTING $CAPSULE as per comment #1
Comment 9 Sanket Jagtap 2017-04-13 06:58:02 UTC 
Build: Satellite 6.2.9 snap 3

katello-certs-check -c sjagtap.abc.com.crt -k sjagtap.abc.com.key -r sjagtap.abc.com.crt.req -b cacert.crt
Validating the certificate subject= /C=US/ST=State or Providence/O=My Company/CN=sjagtap.abc.com
Check private key matches the certificate: [OK]
Check ca bundle verifies the cert file: [OK]

Validation succeeded.

To install the Satellite main server with the custom certificates, run:

    satellite-installer --scenario satellite\
                        --certs-server-cert "sjagtap.abc.com.crt"\
                        --certs-server-cert-req "sjagtap.abc.com.crt.req"\
                        --certs-server-key "sjagtap.abc.com.key"\
                        --certs-server-ca-cert "cacert.crt"

To update the certificates on a currently running Satellite installation, run:

    satellite-installer --scenario satellite\
                        --certs-server-cert "sjagtap.abc.com.crt"\
                        --certs-server-cert-req "sjagtap.abc.com.crt.req"\
                        --certs-server-key "sjagtap.abc.com.key"\
                        --certs-server-ca-cert "cacert.crt"\
                        --certs-update-server --certs-update-server-ca

To use them inside a NEW $CAPSULE, run this command:

    capsule-certs-generate --capsule-fqdn ""\
                           --certs-tar  "~/-certs.tar"\
                           --server-cert "sjagtap.abc.com.crt"\
                           --server-cert-req "sjagtap.abc.com.crt.req"\
                           --server-key "sjagtap.abc.com.key"\
                           --server-ca-cert "cacert.crt"\


To use them inside an EXISTING $CAPSULE, run this command INSTEAD:
    capsule-certs-generate --capsule--fqdn ""\
                           --certs-tar  "~/-certs.tar"\
                           --server-cert "/root/sjagtap.abc.com/sjagtap.abc.com.crt"\
                           --server-cert-req "/root/sjagtap.abc.com/sjagtap.abc.com.crt.req"\
                           --server-key "/root/sjagtap.abc.com/sjagtap.abc.com.key"\
                           --server-ca-cert "/root/sjagtap.abc.com/cacert.crt"\
                           --certs-update-server
Comment 10 Bryan Kearney 2017-05-01 14:29:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1191
Comment 11 Bryan Kearney 2017-05-01 14:29:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1191
Note You need to log in before you can comment on or make changes to this bug.