Bug 1670138 - SSL certificate registration does not overwrite existing server.cer and server.cer.key
Summary: SSL certificate registration does not overwrite existing server.cer and serve...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance
Version: 5.9.7
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: GA
: 5.11.0
Assignee: Joe Vlcek
QA Contact: Md Nadeem
Red Hat CloudForms Documentation
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-01-28 16:50 UTC by Brant Evans
Modified: 2020-09-17 19:27 UTC (History)
7 users (show)

Fixed In Version: 5.11.0.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-12-12 13:35:20 UTC
Category: Bug
Cloudforms Team: CFME Core
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:4199 0 None None None 2019-12-12 13:35:31 UTC

Description Brant Evans 2019-01-28 16:50:20 UTC 
Description of problem:
Using appliance_console_cli to set SSL Certs does not overwrite the existing server.cer and server.cer.key

Version-Release number of selected component (if applicable):
cfme-5.9.7.2-1.el7cf.x86_64

How reproducible:
always

Steps to Reproduce:
(Requires an IDM server to be setup and configured)

1. Configure an appliance as normal so evmserverd processes start

     appliance_console_cli \
       --region=1 \
       --internal \
       --username=root \
       --password=redhat \
       --key \
       --dbdisk=/dev/vdb


2. Use appliance_console_cli to join the appliance to an IPA domain

     appliance_console_cli \
       --ipaserver=idm.example.com \
       --ipaprincipal=admin \
       --ipapassword=redhat

3. Use appliance_console_cli to setup SSL Certs

     appliance_console_cli \
       --ca=ipa \
       --http-cert


Actual results:
The certificate is created in IPA, but the /var/www/miq/vmdb/certs/server.cer and server.cer.key are not overwritten. The root.crt file is created.

Expected results:
The server.cer and server.cer.key files are the SSL certificate from IPA and not the self-signed certs.

Additional info:
I was able to work around this issue by removing/renaming the /var/www/miq/vmdb/server.cer and server.cer.key prior to running the command in step 3 above.
Comment 2 CFME Bot 2019-03-01 20:12:33 UTC 
https://github.com/ManageIQ/manageiq-appliance_console/pull/83
Comment 3 CFME Bot 2019-03-04 22:38:22 UTC 
New commit detected on ManageIQ/manageiq-appliance_console/master:

https://github.com/ManageIQ/manageiq-appliance_console/commit/6188f0550209f9b03d15b63793818e137068c4ce
commit 6188f0550209f9b03d15b63793818e137068c4ce
Author:     Joe VLcek <jvlcek>
AuthorDate: Fri Mar  1 14:34:24 2019 -0500
Commit:     Joe VLcek <jvlcek>
CommitDate: Fri Mar  1 14:34:24 2019 -0500

    Handle existing certs and support rerun of cert generation

    Will address:
      https://bugzilla.redhat.com/show_bug.cgi?id=1670138

 lib/manageiq/appliance_console/certificate.rb | 22 +-
 spec/certificate_authority_spec.rb | 6 +-
 spec/certificate_spec.rb | 27 +-
 3 files changed, 46 insertions(+), 9 deletions(-)
Comment 7 errata-xmlrpc 2019-12-12 13:35:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:4199
Comment 8 Devidas Gaikwad 2020-02-20 12:50:26 UTC 
Hello Satoe Imaishi,
I think it is major issue still present on 5.10.X. Is it possible to clone this issue to 5.10.X, because I am still facing this issue on 5.10.X ?
Note You need to log in before you can comment on or make changes to this bug.