Red Hat Bugzilla – Bug 1468009
[RFE] Make https redirect for unattended URLs optional
Last modified: 2018-01-02 01:52:37 EST
Description of problem:
Customer would like to modify provisioning template in such a way that when a system get provisioned it will report its build status to the satellite server over http instead of https.
As in provisioning template there is a command which calls the token on satellite from console,
#wget -q -O /dev/null --no-check-certificate <%= foreman_url %>
#wget -q -O /dev/null --no-check-certificate http://satellite.lab.example.com/unattended/
Ideally satellite is redirecting every request over this url to https.
It should allow reporting without "--no-check-certificate" parameter.
I either need to be able to NOT use https and just use http OR even better have Sat6 try a test rex job (like ls or something) and when the rex job succeeds the build is done.
Doing ACTIVE checks from Sat6 has MANY advantages like the ability to set the interval for retries, max number of tries, AND a task or action to take if it hits max retries like restart and retry rebuild or send alert email, etc
This also allows for a minimal monitoring feature for hosts in Sat6. So say for a critical server if 2 REX failures occur on a physical server power cycle it and it it still fails attempt a rebuild or send email to some DL.
So is the problem that Apache httpd redirect all http requests to https? It should be possible to avoid that for /unattended URLs via some configuration option in httpd.conf.
But after reading the case, it looks like the major problem is your IT security dept and the "--no-check-certificate". Can you check if deploying the Satellite server certificate via kickstartsnippet prior to the wget command would be feasible? Then we could change the template to something like:
wget -q -O /dev/null --ca-certificate /tmp/built-server-cert.crt https://satellite.lab.example.com/unattended/
Please let us know which of the two options would you prefer, either embedding the server certificate into kickstart or turning off https rewrite for unattended requests.
For ideas around Remote Execution, please feel free to file additional RFE. These are two separate areas and separate BZ components.
Yes, the issue is forcing http to https globally. Simple "I'm done building" messages I see no reason to be https plus on some systems I am getting Sat6 to build tools like where come from BusyBox and an RPM. I am looking at embedded systems based on RHEL like SAN appliances which I may once I get this working build on ARM devices now that RHEL is coming to ARM. For embedded systems every byte of storage counts as the SDcard or Compact Flash IS
The only "HDD".
also going to look at ARM (Raspberry PI 3b or later) desktops using RHEL workstation/desktop being build via Sat6.
Also adding the active ssh can be a precursor to possible future ancible suppormaybe.