Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1501980 - Hammer errors out with certificate errors when using custom certs
Summary: Hammer errors out with certificate errors when using custom certs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Installation
Version: 6.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: Unspecified
Assignee: Stephen Benjamin
QA Contact: Nikhil Kathole
URL:
Whiteboard:
: 1508621 1520476 (view as bug list)
Depends On:
Blocks: 1122832 1533259
TreeView+ depends on / blocked
 
Reported: 2017-10-13 15:56 UTC by Johan Swensson
Modified: 2021-12-10 15:19 UTC (History)
16 users (show)

Fixed In Version: katello-installer-base-3.4.5.20-1,foreman-installer-1.15.6.7-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-02-21 16:54:17 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 22196 0 Normal Closed Hammer errors out with certificate errors when using CA chain 2021-02-08 20:24:02 UTC

Description Johan Swensson 2017-10-13 15:56:58 UTC 
Description of problem:
When deploying Satellite 6.3 snap 19 with a custom certificate hammer errors out with every command until :ssl_ca_file: is configured to point to the ca bundle.

Version-Release number of selected component (if applicable):
6.3 snap19

How reproducible:
Easy

Steps to Reproduce:
1. Install Satellite with custom certificates
2. run hammer with out arguments
3.

Actual results:
# hammer
Could not load the API description from the server: SSL certificate verification failed
Make sure you configured the correct URL and have the server's CA certificate installed on your system.

The following configuration option were used for the SSL connection:
  ssl_ca_file = /etc/pki/katello/certs/katello-default-ca.crt

Make sure the location contains an unexpired and valid CA certificate for https://sat63-snap19.example.com

Warning: An error occured while loading module hammer_cli_csv
Could not load the API description from the server: SSL certificate verification failed
Make sure you configured the correct URL and have the server's CA certificate installed on your system.

The following configuration option were used for the SSL connection:
  ssl_ca_file = /etc/pki/katello/certs/katello-default-ca.crt

Make sure the location contains an unexpired and valid CA certificate for https://sat63-snap19.example.com

Warning: An error occured while loading module hammer_cli_foreman
Could not load the API description from the server: SSL certificate verification failed
Make sure you configured the correct URL and have the server's CA certificate installed on your system.

The following configuration option were used for the SSL connection:
  ssl_ca_file = /etc/pki/katello/certs/katello-default-ca.crt

Make sure the location contains an unexpired and valid CA certificate for https://sat63-snap19.example.com

Warning: An error occured while loading module hammer_cli_foreman_bootdisk
Could not load the API description from the server: SSL certificate verification failed
Make sure you configured the correct URL and have the server's CA certificate installed on your system.

The following configuration option were used for the SSL connection:
  ssl_ca_file = /etc/pki/katello/certs/katello-default-ca.crt

Make sure the location contains an unexpired and valid CA certificate for https://sat63-snap19.example.com

Warning: An error occured while loading module hammer_cli_foreman_docker
Could not load the API description from the server: SSL certificate verification failed
Make sure you configured the correct URL and have the server's CA certificate installed on your system.

The following configuration option were used for the SSL connection:
  ssl_ca_file = /etc/pki/katello/certs/katello-default-ca.crt

Make sure the location contains an unexpired and valid CA certificate for https://sat63-snap19.example.com

Warning: An error occured while loading module hammer_cli_foreman_openscap
Could not load the API description from the server: SSL certificate verification failed
Make sure you configured the correct URL and have the server's CA certificate installed on your system.

The following configuration option were used for the SSL connection:
  ssl_ca_file = /etc/pki/katello/certs/katello-default-ca.crt

Make sure the location contains an unexpired and valid CA certificate for https://sat63-snap19.example.com

Warning: An error occured while loading module hammer_cli_foreman_remote_execution
Warning: An error occured while loading module hammer_cli_foreman_tasks
Could not load the API description from the server: SSL certificate verification failed
Make sure you configured the correct URL and have the server's CA certificate installed on your system.

The following configuration option were used for the SSL connection:
  ssl_ca_file = /etc/pki/katello/certs/katello-default-ca.crt

Make sure the location contains an unexpired and valid CA certificate for https://sat63-snap19.example.com

Warning: An error occured while loading module hammer_cli_foreman_virt_who_configure
Could not load the API description from the server: SSL certificate verification failed
Make sure you configured the correct URL and have the server's CA certificate installed on your system.

The following configuration option were used for the SSL connection:
  ssl_ca_file = /etc/pki/katello/certs/katello-default-ca.crt

Make sure the location contains an unexpired and valid CA certificate for https://sat63-snap19.example.com

Warning: An error occured while loading module hammer_cli_katello


Expected results:
Hammer should work out of the box even when using custom certificates.

Additional info:
This was not needed in 6.2, so I'm not sure if this is something the installer does differently or what's going on but when creating a ~/.hammer/cli_config.yml with the following content it works:

:ssl:
  :ssl_ca_file: '/root/ca-chain.pem'


Satellite was installed with the following:  satellite-installer --scenario satellite --certs-server-cert "/root/sat63-snap19.example.com.crt"                      --certs-server-cert-req "/root/fake.csr" --certs-server-key "/root/sat63-snap19.example.com.key" --certs-server-ca-cert "/root/ca-chain.pem" --foreman-admin-password redhat123 --foreman-initial-organization "testday" --foreman-proxy-tftp true

And output of katello-certs-check:
Checking expiration of certificate: [OK]
Checking expiration of CA bundle: [OK]
Validating the certificate subject= /C=SE/ST=Stockholm/O=opuk lab/OU=opuk lab intermediate/CN=sat63-snap19.example.com/emailAddress=root
Checking to see if the private key matches the certificate: [OK]
Checking ca bundle against the cert file: [OK]
Checking for non ascii characters[OK]
Comment 2 Brad Buckingham 2017-11-08 15:07:29 UTC 
*** Bug 1508621 has been marked as a duplicate of this bug. ***
Comment 3 Brad Buckingham 2017-11-08 15:08:20 UTC 
Moving to Installer based upon https://bugzilla.redhat.com/show_bug.cgi?id=1508621#c0
Comment 4 Mike McCune 2017-11-10 14:28:44 UTC 
*** WORKAROUND ***


This breaks due to /etc/hammer/cli.modules.d/foreman.yml being configured to have ssl_ca_file pointed at /etc/pki/katello/certs/katello-default-ca.crt. This certificate is not the CA being used by the Foreman webserver when custom certificates are being used. Rather, this should be configured to point at:

/etc/pki/katello/certs/katello-server-ca.crt

edit /etc/hammer/cli.modules.d/foreman.yml and set the ca to the above file
Comment 6 Lukas Zapletal 2017-12-11 12:54:50 UTC 
*** Bug 1520476 has been marked as a duplicate of this bug. ***
Comment 8 Stephen Benjamin 2018-01-09 14:33:49 UTC 
Created redmine issue http://projects.theforeman.org/issues/22196 from this bug
Comment 9 Satellite Program 2018-01-09 15:11:28 UTC 
Upstream bug assigned to stbenjam
Comment 10 Satellite Program 2018-01-09 15:11:34 UTC 
Upstream bug assigned to stbenjam
Comment 11 Satellite Program 2018-01-10 11:11:44 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/22196 has been resolved.
Comment 12 Satellite Program 2018-01-15 11:11:38 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/22196 has been resolved.
Comment 15 Nikhil Kathole 2018-02-06 16:09:31 UTC 
VERIFIED

Version tested:
Satellite 6.3 snap 35

Hammer works correctly with satellite using custom certs.
Comment 17 Satellite Program 2018-02-21 16:54:17 UTC 
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
> 
> For information on the advisory, and where to find the updated files, follow the link below.
> 
> If the solution does not work for you, open a new bug report.
> 
> https://access.redhat.com/errata/RHSA-2018:0336
Note You need to log in before you can comment on or make changes to this bug.