Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
When deploying Satellite 6.3 snap 19 with a custom certificate hammer errors out with every command until :ssl_ca_file: is configured to point to the ca bundle.
Version-Release number of selected component (if applicable):
6.3 snap19
How reproducible:
Easy
Steps to Reproduce:
1. Install Satellite with custom certificates
2. run hammer with out arguments
3.
Actual results:
# hammer
Could not load the API description from the server: SSL certificate verification failed
Make sure you configured the correct URL and have the server's CA certificate installed on your system.
The following configuration option were used for the SSL connection:
ssl_ca_file = /etc/pki/katello/certs/katello-default-ca.crt
Make sure the location contains an unexpired and valid CA certificate for https://sat63-snap19.example.com
Warning: An error occured while loading module hammer_cli_csv
Could not load the API description from the server: SSL certificate verification failed
Make sure you configured the correct URL and have the server's CA certificate installed on your system.
The following configuration option were used for the SSL connection:
ssl_ca_file = /etc/pki/katello/certs/katello-default-ca.crt
Make sure the location contains an unexpired and valid CA certificate for https://sat63-snap19.example.com
Warning: An error occured while loading module hammer_cli_foreman
Could not load the API description from the server: SSL certificate verification failed
Make sure you configured the correct URL and have the server's CA certificate installed on your system.
The following configuration option were used for the SSL connection:
ssl_ca_file = /etc/pki/katello/certs/katello-default-ca.crt
Make sure the location contains an unexpired and valid CA certificate for https://sat63-snap19.example.com
Warning: An error occured while loading module hammer_cli_foreman_bootdisk
Could not load the API description from the server: SSL certificate verification failed
Make sure you configured the correct URL and have the server's CA certificate installed on your system.
The following configuration option were used for the SSL connection:
ssl_ca_file = /etc/pki/katello/certs/katello-default-ca.crt
Make sure the location contains an unexpired and valid CA certificate for https://sat63-snap19.example.com
Warning: An error occured while loading module hammer_cli_foreman_docker
Could not load the API description from the server: SSL certificate verification failed
Make sure you configured the correct URL and have the server's CA certificate installed on your system.
The following configuration option were used for the SSL connection:
ssl_ca_file = /etc/pki/katello/certs/katello-default-ca.crt
Make sure the location contains an unexpired and valid CA certificate for https://sat63-snap19.example.com
Warning: An error occured while loading module hammer_cli_foreman_openscap
Could not load the API description from the server: SSL certificate verification failed
Make sure you configured the correct URL and have the server's CA certificate installed on your system.
The following configuration option were used for the SSL connection:
ssl_ca_file = /etc/pki/katello/certs/katello-default-ca.crt
Make sure the location contains an unexpired and valid CA certificate for https://sat63-snap19.example.com
Warning: An error occured while loading module hammer_cli_foreman_remote_execution
Warning: An error occured while loading module hammer_cli_foreman_tasks
Could not load the API description from the server: SSL certificate verification failed
Make sure you configured the correct URL and have the server's CA certificate installed on your system.
The following configuration option were used for the SSL connection:
ssl_ca_file = /etc/pki/katello/certs/katello-default-ca.crt
Make sure the location contains an unexpired and valid CA certificate for https://sat63-snap19.example.com
Warning: An error occured while loading module hammer_cli_foreman_virt_who_configure
Could not load the API description from the server: SSL certificate verification failed
Make sure you configured the correct URL and have the server's CA certificate installed on your system.
The following configuration option were used for the SSL connection:
ssl_ca_file = /etc/pki/katello/certs/katello-default-ca.crt
Make sure the location contains an unexpired and valid CA certificate for https://sat63-snap19.example.com
Warning: An error occured while loading module hammer_cli_katello
Expected results:
Hammer should work out of the box even when using custom certificates.
Additional info:
This was not needed in 6.2, so I'm not sure if this is something the installer does differently or what's going on but when creating a ~/.hammer/cli_config.yml with the following content it works:
:ssl:
:ssl_ca_file: '/root/ca-chain.pem'
Satellite was installed with the following: satellite-installer --scenario satellite --certs-server-cert "/root/sat63-snap19.example.com.crt" --certs-server-cert-req "/root/fake.csr" --certs-server-key "/root/sat63-snap19.example.com.key" --certs-server-ca-cert "/root/ca-chain.pem" --foreman-admin-password redhat123 --foreman-initial-organization "testday" --foreman-proxy-tftp true
And output of katello-certs-check:
Checking expiration of certificate: [OK]
Checking expiration of CA bundle: [OK]
Validating the certificate subject= /C=SE/ST=Stockholm/O=opuk lab/OU=opuk lab intermediate/CN=sat63-snap19.example.com/emailAddress=root
Checking to see if the private key matches the certificate: [OK]
Checking ca bundle against the cert file: [OK]
Checking for non ascii characters[OK]
*** WORKAROUND ***
This breaks due to /etc/hammer/cli.modules.d/foreman.yml being configured to have ssl_ca_file pointed at /etc/pki/katello/certs/katello-default-ca.crt. This certificate is not the CA being used by the Foreman webserver when custom certificates are being used. Rather, this should be configured to point at:
/etc/pki/katello/certs/katello-server-ca.crt
edit /etc/hammer/cli.modules.d/foreman.yml and set the ca to the above file
VERIFIED
Version tested:
Satellite 6.3 snap 35
Hammer works correctly with satellite using custom certs.
Comment 17Satellite Program
2018-02-21 16:54:17 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
>
> For information on the advisory, and where to find the updated files, follow the link below.
>
> If the solution does not work for you, open a new bug report.
>
> https://access.redhat.com/errata/RHSA-2018:0336