Description of problem: Setting up Postgres server SSL certificates fails to generate a certificate on IPA and configure it. Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: (Requires an IDM server to be setup and configured) 1. Configure an appliance as normal so evmserverd processes start appliance_console_cli \ --region=1 \ --internal \ --username=root \ --password=redhat \ --key \ --dbdisk=/dev/vdb 2. Use appliance_console_cli to join the appliance to an IPA domain appliance_console_cli \ --ipaserver=idm.example.com \ --ipaprincipal=admin \ --ipapassword=redhat 3. Use appliance_console_cli to setup SSL Certs appliance_console_cli \ --ca=ipa \ --postgres-server-cert \ --http-cert Actual results: The certificate is not create in IDM and the command errors. [root@egs-cf1 ~]# appliance_console_cli \ > --ca=ipa \ > --postgres-server-cert \ > --http-cert creating ssl certificates configuring postgres to use certs /opt/rh/cfme-gemset/gems/manageiq-appliance_console-2.0.3/lib/manageiq/appliance_console/database_configuration.rb:281:in `block in initialize_from_hash': Invalid argument: ssl (ArgumentError) from /opt/rh/cfme-gemset/gems/manageiq-appliance_console-2.0.3/lib/manageiq/appliance_console/database_configuration.rb:275:in `each' from /opt/rh/cfme-gemset/gems/manageiq-appliance_console-2.0.3/lib/manageiq/appliance_console/database_configuration.rb:275:in `initialize_from_hash' from /opt/rh/cfme-gemset/gems/manageiq-appliance_console-2.0.3/lib/manageiq/appliance_console/database_configuration.rb:32:in `initialize' from /opt/rh/cfme-gemset/gems/manageiq-appliance_console-2.0.3/lib/manageiq/appliance_console/internal_database_configuration.rb:24:in `initialize' from /opt/rh/cfme-gemset/gems/manageiq-appliance_console-2.0.3/lib/manageiq/appliance_console/certificate_authority.rb:93:in `new' from /opt/rh/cfme-gemset/gems/manageiq-appliance_console-2.0.3/lib/manageiq/appliance_console/certificate_authority.rb:93:in `configure_pgserver' from /opt/rh/cfme-gemset/gems/manageiq-appliance_console-2.0.3/lib/manageiq/appliance_console/certificate_authority.rb:46:in `activate' from /opt/rh/cfme-gemset/gems/manageiq-appliance_console-2.0.3/lib/manageiq/appliance_console/cli.rb:332:in `install_certs' from /opt/rh/cfme-gemset/gems/manageiq-appliance_console-2.0.3/lib/manageiq/appliance_console/cli.rb:178:in `run' from /opt/rh/cfme-gemset/gems/manageiq-appliance_console-2.0.3/lib/manageiq/appliance_console/cli.rb:412:in `parse' from /opt/rh/cfme-gemset/gems/manageiq-appliance_console-2.0.3/bin/appliance_console_cli:7:in `<top (required)>' from /opt/rh/cfme-gemset/bin/appliance_console_cli:22:in `load' from /opt/rh/cfme-gemset/bin/appliance_console_cli:22:in `<main>' Expected results: SSL certificate is created in IDM and Postgres server is configured to use the SSL certificate. Additional info:
Brant, was this working from CLI previously, is it a regression? If so, what version last worked?
Joe, I have no idea if it was working previously this is the first time that I've tried to use it. Regards, Brant
Brant, Since we started using ssl with generated certs by default on configuration the PG certs are installed in the data directory. Is there some more complex task that needs to be completed in your case or would it be easier to just overwrite the existing cert and key manually? Nick
Nick, I didn't know that PG was configured by default with self-signed ssl certs. Thanks for that info. For my case, I saw the option on appliance_console_cli to setup SSL certs for PG which I decided to try. There is no documentation about the option that I could find. I was guessing that appliance_console_cli needed to be run with the --postgres-server-cert option on the appliance with the PG database and with the --postgres-client-cert option on appliances where evmserverd is running. When I used the --postgres-server-cert option I get the error and I didn't try using the --postgres-client-cert option. Using appliance_console_cli to setup getting a signed HTTP cert (--http-cert option) from IdM worked well (other than having to move the cert and key file out of the way before running the command, but that's another BZ). It would be good to be able to use a CA signed cert from IdM for PG as well and not have any self-signed certs. I like that the appliance_console_cli sets up certmonger to manage renewal of the certificate. So there are a few more steps than just getting a cert from the CA and replacing the file in the data directory. Brant
Brant, Are you able to connect to the IPA server using dbus-send [1] after your step #2 above? 2. Use appliance_console_cli to join the appliance to an IPA domain appliance_console_cli \ --ipaserver=idm.example.com \ --ipaprincipal=admin \ --ipapassword=redhat Instead of using the appliance_console_cli, ff you use the non-cli version of the appliance_console and select option: Configure External Authentication (httpd) are you able to use the configured IPA server using dbus-send [1] ? [1] dbus-send example for you to try: % dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:<valid user in your IPA server> array:string:mail,givenname,sn,displayname,domainname
Joe, Yes dbus-send works properly. I am able to login to CF using my IdM credentials. Running appliance_console_cli --http-cert is able to successfully get and configure an SSL cert for the Apache config. For some reason getting a cert using the --pg-server-cert option is failing with the above error. The version of IdM that is being used is 4.6.4 (in case that makes a difference). dbus-send output: # dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:bevans array:string:mail,givenname,sn,displayname,domainname method return time=1549560203.364071 sender=:1.48 -> destination=:1.94 serial=5 reply_serial=2 array [ dict entry( string "mail" variant array [ string "bevans@<REDACTED>" ] ) dict entry( string "givenname" variant array [ string "Brant" ] ) dict entry( string "sn" variant array [ string "Evans" ] ) dict entry( string "displayname" variant array [ string "Brant Evans" ] ) dict entry( string "domainname" variant array [ string "<REDACTED>" ] ) ]
(In reply to Brant Evans from comment #9) > Joe, > > Yes dbus-send works properly. I am able to login to CF using my IdM > credentials. > > Running appliance_console_cli --http-cert is able to successfully get and > configure an SSL cert for the Apache config. For some reason getting a cert > using the --pg-server-cert option is failing with the above error. > > The version of IdM that is being used is 4.6.4 (in case that makes a > difference). > > > dbus-send output: > > # dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe > /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr > string:bevans array:string:mail,givenname,sn,displayname,domainname > method return time=1549560203.364071 sender=:1.48 -> destination=:1.94 > serial=5 reply_serial=2 > array [ > dict entry( > string "mail" > variant array [ > string "bevans@<REDACTED>" > ] > ) > dict entry( > string "givenname" > variant array [ > string "Brant" > ] > ) > dict entry( > string "sn" > variant array [ > string "Evans" > ] > ) > dict entry( > string "displayname" > variant array [ > string "Brant Evans" > ] > ) > dict entry( > string "domainname" > variant array [ > string "<REDACTED>" > ] > ) > ] Thank you Brant! It seems to me that the issue is with the appliance_console_cli support for `--pg-server-cert` and has nothing to do with IPA config. Does that seem correct to you too? JoeV
Joe, I agree. This is only to do with the `--pg-server-cert`. Brant
https://github.com/ManageIQ/manageiq-appliance_console/pull/88
New commit detected on ManageIQ/manageiq-appliance_console/master: https://github.com/ManageIQ/manageiq-appliance_console/commit/f6b450be7226eeed054ddae542042441c14679fb commit f6b450be7226eeed054ddae542042441c14679fb Author: Nick Carboni <ncarboni> AuthorDate: Thu May 9 17:44:29 2019 -0400 Commit: Nick Carboni <ncarboni> CommitDate: Thu May 9 17:44:29 2019 -0400 Remove postgres cert management code Cli and CertificateAuthority This has not been used from the GUI console since 2014 and has not worked from the Cli since at least 2017 We now configure ssl certs by default when the database is configured and, if they wish, users can now make changes the database configuration in order to install their own certs. https://bugzilla.redhat.com/show_bug.cgi?id=1670150 lib/manageiq/appliance_console/certificate_authority.rb | 59 +- lib/manageiq/appliance_console/cli.rb | 6 +- spec/certificate_authority_spec.rb | 82 +- spec/cli_spec.rb | 22 +- 4 files changed, 10 insertions(+), 159 deletions(-)
The choice here was to remove the functionality rather than try to revive something that has been broken (and presumably unused) for years. From a console gem release perspective, removing a feature would require a major version bump, but 5.10 is using version 3.x and version 4.x is already released and is only compatible with appliances using postgres 10. For that reason, it will be rather difficult to backport this. Is it acceptable to only "fix" this in later, 4.x, versions of the console and therefore only have the BZ "fixed" in 5.11?
Nick, targeting this for 5.11 only is fine.
https://github.com/ManageIQ/manageiq-appliance/pull/241
New commit detected on ManageIQ/manageiq-appliance/master: https://github.com/ManageIQ/manageiq-appliance/commit/75ce77ffa125ab85aa493def3a6804eddd46968a commit 75ce77ffa125ab85aa493def3a6804eddd46968a Author: Nick Carboni <ncarboni> AuthorDate: Mon Jun 10 16:20:29 2019 -0400 Commit: Nick Carboni <ncarboni> CommitDate: Mon Jun 10 16:20:29 2019 -0400 Bump console version to 5.0.0 Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1629853 Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1670150 manageiq-appliance-dependencies.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Appliance version 5.11.0.11. There is no '--postgres-client-cert' or '--postgres-server-cert' option when running appliance_console_cli.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:4199