1980910 – install fails when using https for installation source because curl cannot load ca-bundle.crt

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1980910 - install fails when using https for installation source because curl cannot load ca-bundle.crt

Summary: install fails when using https for installation source because curl cannot lo...

Keywords:
Status:	CLOSED DUPLICATE of bug 1982271
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	anaconda
Sub Component:
Version:	9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	beta
Target Release:	---
Assignee:	Anaconda Maintenance Team
QA Contact:	Release Test Team
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1975278 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-07-09 19:57 UTC by Alex Schultz
Modified:	2021-07-14 15:27 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-07-14 15:27:43 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Alex Schultz 2021-07-09 19:57:14 UTC

Description of problem:
Attempting to use an https source for the install.img results in the installation hanging because it cannot verify the ssl certificate due to:

[   11.753820] dracut-initqueue[1203]: curl: (77) error setting certificate file: /etc/pki/tls/certs/ca-bundle.crt


Version-Release number of selected component (if applicable):


How reproducible:

100% if using https source


Steps to Reproduce:
1. Use virt install to attempt to install from the odcs composes
WORK_DIR=$(pwd)
MIRROR="https://odcs.stream.centos.org/test/latest-CentOS-Stream/compose"
DISK_SIZE=10


virt-install \
    --transient \
    --name=centos-9-stream \
    --ram=4096 \
    --arch=x86_64 \
    --cpu=host \
    --vcpus=4 \
    --os-variant=rhel8.0 \
    --extra-args="ipv6.disable=1 inst.text console=tty0 console=ttyS0,115200 rd_NO_PLYMOUTH" \
    --disk="${WORK_DIR}/centos-9-stream.img,size=${DISK_SIZE},sparse=true,format=qcow2" \
    --location="${MIRROR}/BaseOS/x86_64/os" \
    --serial=pty \
    --nographics


Actual results:

Install haults because it cannot fetch the install.img

[   10.239528] dracut-initqueue[1071]: Warning: can't find installer main image path in .treeinfo
[   10.264253] dracut-initqueue[1209]:   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
[   10.266804] dracut-initqueue[1209]:                                  Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
[   10.327793] dracut-initqueue[1209]: curl: (77) error setting certificate file: /etc/pki/tls/certs/ca-bundle.crt
[   10.333588] dracut-initqueue[1203]: Warning: Downloading 'https://odcs.stream.centos.org/test/latest-CentOS-Stream/compose/BaseOS/x86_64/os/images/install.img' failed!
[   10.361152] dracut-initqueue[1219]:   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
[   10.361407] dracut-initqueue[1219]:                                  Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
[   10.418645] dracut-initqueue[1219]: curl: (77) error setting certificate file: /etc/pki/tls/certs/ca-bundle.crt
[   10.435797] dracut-initqueue[1213]: Warning: Downloading 'https://odcs.stream.centos.org/test/latest-CentOS-Stream/compose/BaseOS/x86_64/os/LiveOS/squashfs.img' failed!
[   10.436456] dracut-initqueue[1071]: Warning: anaconda: failed to fetch stage2 from https://odcs.stream.centos.org/test/latest-CentOS-Stream/compose/BaseOS/x86_64/os
<info>  [1625860137.9996] policy: set-hostname: set hostname to 'localhost.localdomain' (no hostname found)
[  148.798622] dracut-initqueue[1071]: Warning: dracut-initqueue: timeout, still waiting for following initqueue hooks:
[  148.805771] dracut-initqueue[1071]: Warning: /lib/dracut/hooks/initqueue/finished/devexists-\x2fdev\x2froot.sh: "[ -e "/dev/root" ]"
[  148.813008] dracut-initqueue[1071]: Warning: /lib/dracut/hooks/initqueue/finished/nm.sh: "[ -f /tmp/nm.done ]"
[  148.819697] dracut-initqueue[1071]: Warning: /lib/dracut/hooks/initqueue/finished/wait_for_settle.sh: "[ -f /tmp/settle.done ]"
[  148.829479] dracut-initqueue[1071]: Warning: dracut-initqueue: starting timeout scripts
...SNIP...
[  219.804591] dracut-initqueue[1071]: Warning: /lib/dracut/hooks/initqueue/finished/wait_for_settle.sh: "[ -f /tmp/settle.done ]"
[  219.808806] dracut-initqueue[1071]: Warning: dracut-initqueue: starting timeout scripts
[  219.809385] dracut-initqueue[1071]: Warning: Could not boot.
         Starting Dracut Emergency Shell...
Warning: /dev/root does not exist

Generating "/run/initramfs/rdsosreport.txt"


Entering emergency mode. Exit the shell to continue.
Type "journalctl" to view system logs.
You might want to save "/run/initramfs/rdsosreport.txt" to a USB stick or /boot
after mounting them and attach it to a bug report.


Press Enter for maintenance
(or press Control-D to continue): 



Expected results:

install.img should be downloaded and the installation should continue.

Additional info:

If you configure a passthrough proxy (e.g. via nginx) that handles the http/https transition the installation works fine.

Comment 1 Alex Schultz 2021-07-09 20:07:54 UTC

switched component to anaconda as it appears the request is coming from https://github.com/rhinstaller/anaconda/blob/master/dracut/anaconda-lib.sh

Comment 2 Alex Schultz 2021-07-09 20:11:17 UTC

Adding inst.noverifyssl to the extra-args seems to disable the ssl verification and allows it to continue

Comment 3 Jan Stodola 2021-07-12 15:19:52 UTC

The whole /etc/pki is missing in the RHEL-9 installation initrd:

$ lsinitrd /mnt/redhat/rhel-9/nightly/RHEL-9-Beta/RHEL-9.0.0-20210709.2/compose/BaseOS/x86_64/os/images/pxeboot/initrd.img | grep etc/pki
$

Compare with RHEL-8:
$ lsinitrd /mnt/redhat/rhel-8/nightly/RHEL-8/RHEL-8.5.0-20210712.n.1/compose/BaseOS/x86_64/os/images/pxeboot/initrd.img | grep etc/pki
drwxr-xr-x   4 root     root            0 Apr 26 03:30 etc/pki
drwxr-xr-x   3 root     root            0 Apr 26 03:30 etc/pki/ca-trust
drwxr-xr-x   3 root     root            0 Apr 26 03:30 etc/pki/ca-trust/extracted
drwxr-xr-x   2 root     root            0 Apr 26 03:30 etc/pki/ca-trust/extracted/pem
-r--r--r--   1 root     root       200578 Apr 26 03:30 etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
drwxr-xr-x   3 root     root            0 Apr 26 03:30 etc/pki/tls
drwxr-xr-x   2 root     root            0 Apr 26 03:30 etc/pki/tls/certs
lrwxrwxrwx   1 root     root           46 Apr 26 03:30 etc/pki/tls/certs/ca-bundle.crt -> ../../ca-trust/extracted/pem/tls-ca-bundle.pem
$

Comment 4 David Tardon 2021-07-14 08:42:57 UTC

*** Bug 1975278 has been marked as a duplicate of this bug. ***

Comment 5 Jiri Konecny 2021-07-14 15:27:43 UTC

Hi, this issue is happening because newer version of Dracut is using bash features which needs a bit different setup. 
This issue is already fixed in upstream Lorax in the bug 1962975. There is now clone for RHEL-9 bug 1982271 . Closing this one as duplicate of the upstream clone because it has more details.

*** This bug has been marked as a duplicate of bug 1982271 ***

Note You need to log in before you can comment on or make changes to this bug.