Bug 1592681 - foreman-installer does not create /usr/share/foreman/.postgresql/root.crt
Summary: foreman-installer does not create /usr/share/foreman/.postgresql/root.crt
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Installation
Version: 6.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: 6.4.0
Assignee: Ewoud Kohl van Wijngaarden
QA Contact: Lukáš Hellebrandt
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-06-19 06:47 UTC by Ales Dujicek
Modified: 2019-11-05 23:24 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-16 19:01:10 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 22940 0 None None None 2018-06-19 06:47:40 UTC

Description Ales Dujicek 2018-06-19 06:47:38 UTC 
foreman-installer does not create /usr/share/foreman/.postgresql/root.crt when --foreman-db-manage false is set

how to reproduce:
# foreman-installer --scenario katello --foreman-db-manage false --foreman-db-host remote-db-host.redhat.com --foreman-db-root-cert /usr/share/foreman/root.crt
[ WARN 2018-03-19T10:24:21 main]  /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]/returns: ActiveRecord::NoDatabaseError: root certificate file "/usr/share/foreman/.postgresql/root.crt" does not exist
# ls /usr/share/foreman/.postgresql/root.crt
ls: cannot access /usr/share/foreman/.postgresql/root.crt: No such file or directory

version
foreman-installer-1.18.0-0.develop.201803160331giteb46741.el7.noarch
Comment 1 Ales Dujicek 2018-06-19 06:47:43 UTC 
Created from redmine issue http://projects.theforeman.org/issues/22940
Comment 2 Ales Dujicek 2018-06-19 06:47:47 UTC 
Upstream bug assigned to None
Comment 4 Ales Dujicek 2018-06-19 07:01:24 UTC 
to make it more clear what it means

if you setup SSL for foreman database
# satellite-installer --scenario satellite --foreman-db-manage false --foreman-db-host  remote-db-host.redhat.com --foreman-db-database foreman1db --foreman-db-username foreman1 --foreman-db-password foreman1pw --foreman-db-port     5432  --foreman-db-sslmode verify-full --foreman-db-root-cert /tmp/root.crt

then db:migrate fails because foreman cannot verify the database's certificate (missing ~foreman/.postgresql/root.crt)

[ERROR 2018-06-19T08:45:53 main]  /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]: Failed to call refresh: '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of 
[0]
[ERROR 2018-06-19T08:45:53 main]  /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]: '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0]
Comment 5 Satellite Program 2018-07-03 14:17:58 UTC 
Upstream bug assigned to ekohlvan
Comment 6 Satellite Program 2018-07-03 14:18:01 UTC 
Upstream bug assigned to ekohlvan
Comment 7 Satellite Program 2018-07-03 22:18:12 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/22940 has been resolved.
Comment 9 Lukáš Hellebrandt 2018-09-05 11:40:07 UTC 
Verified with Sat 6.4 snap 20.

Setup a PostgreSQL server, setup for listening on all interfaces (postgresql.conf), create a user, enable password login, create a database named as the user, generate certificates ( https://www.postgresql.org/docs/9.5/static/ssl-tcp.html ) , force SSL (hostssl in pghba.conf).

Copy the generated root.crt to another machine.

On that other machine, use reproducer from comment 4. The installation is successful and the Satellite instance works.
Comment 10 Bryan Kearney 2018-10-16 19:01:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2927
Note You need to log in before you can comment on or make changes to this bug.