Thanks for the report Waldirio, how or when would you like to perform the check for empty files? Note that the Puppet CA might be installed on different host than Satellite. Why did the customer put an empty file into CA directory?

Anyway since it's puppet cert tool that fails, I think it should be reported against puppet. We could add extra level of checks but it does not feel right. If there's no good reason why customer need to put empty files into Puppet CA dir, I'd suggest closing as WONTFIX

Hi Marek, good afternoon

I'm not sure what is the root cause but for any reason the cert is generated without content then when puppet try to list the cert *and generate the complete list* fail.

For sure customer will *or should not* put empty files on this directory btw I got at least 3 cases with this symptom / cause, then after remove the empty file everything come back to the normal state.

Let me know your point of view, imho improve our product to detect and on this case inform should be interesting ..., actually we can see only the issue on the screen without any advice or direction *as you can see below*

---
Failure: ERF50-5345 [Foreman::WrappedException]: Unable to connect ([ProxyAPI::ProxyException]: ERF12-5356 [ProxyAPI::ProxyException]: Unable to get PuppetCA certificates ([RestClient...)
---


Best Regards
-- 
Waldirio M Pinheiro | Senior Software Maintenance Engineer

Complementing

Answering your question

"how or when would you like to perform the check for empty files?"

So I though in two diff approach

1. Schedule one task just to check if there is empty file on that directory *daily*

or

2. When customer try to generate the puppet signed list via webUI


Pros & Cons
About first, I can't see any problem, btw if for any reason the sat create one empty file, this one will be fixed only on the next day so if customer try to generate the list will get error.

About second one, Imagining one customer with 40k clients, and one file to each one, not sure how many time sat should spend to conclude the task, then every time should not be interesting.

My contrib.

Thank you.

Best Regards
-- 
Waldirio M Pinheiro | Senior Software Maintenance Engineer

Maybe that would be a good candidate for foreman-maintain and setting up a daily cron job. Since I've never heard of this before I don't think every customer would experience this issue. Maybe a KCS with describing how to setup cron would do? I'd like to avoid adding workarounds for bugs in underlaying software to Satellite codebase, in past it didn't bring anything good. Let me know what you think.

Hi

Could be *Personally I don't know foreman-maintain, I'll check*.

I did the kcs *https://access.redhat.com/solutions/2976161* just to fix this issue, the main idea of BZ is avoid this issue or just improve the error message *another approach*, if foreman-maintain exist and we could improve, for sure will be one great idea.

Let me know your point of view and let's decide the future of this *health check*.

Thank you.


Best Regards
-- 
Waldirio M Pinheiro | Senior Software Maintenance Engineer

Anurag, do you think this would be a good fit for foreman-maintain? Unfortunately I can't access the KCS but I think with cron periodically fixing the CA directory, we'd get into hard to reproduce reports since the failure would be there but only until the cron starts. Therefore I think just KCS and potentially a fix tool in foreman-maintain would be a better approach.

I personally feel this looks like a corner case of ca files appearing in the ca requests directory. Are the customers manually creating these files, and leaving the empty files in error?

In any case, if this problem is widespread then this can be a good candidate to be added to foreman-maintain as a check, optionally it could also offer to delete empty ca file.

Upstream bug assigned to kgaikwad

I thinks it makes sense: ideally not checking just the emptyness, but also other propertlies of the ceritificate files (such as format, validation of client cert against ca cert etc.). See https://github.com/Katello/katello-installer/blob/master/bin/katello-certs-check for example of similar checks we had in katello-installer for customer certs https://github.com/Katello/katello-installer/blob/master/bin/katello-certs-check

Foreman maintain is having a check which verifies if there are any empty CA request files exist on satellite and gives an option to delete those files.

Thank you for your interest in Satellite 6. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this, please do not reopen. Instead, feel free to contact Rich Jerrido or Bryan Kearney. Thank you.