2166839 – satellite does not work when crypto policy future is enabled

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2166839 - satellite does not work when crypto policy future is enabled

Summary: satellite does not work when crypto policy future is enabled

Keywords:
Status:	CLOSED COMPLETED
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Installation
Sub Component:
Version:	6.12.1
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	low
Target Milestone:	Unspecified
Assignee:	satellite6-bugs
QA Contact:	Gaurav Talreja
Docs Contact:
URL:
Whiteboard:
Depends On:	2117265
Blocks:
TreeView+	depends on / blocked

Reported:	2023-02-03 06:46 UTC by Benjamin Hackl-Blaimschein
Modified:	2023-03-06 05:11 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-02-27 08:12:38 UTC
Target Upstream Version:
Embargoed:
Flags:	benjamin.hackl-blaimschein: needinfo-

Attachments	(Terms of Use)

Description Benjamin Hackl-Blaimschein 2023-02-03 06:46:44 UTC

Description of problem:

Installer does not warn if crypto policy is set to future. Installer runs, but some services silently fail - e.g. 


Version-Release number of selected component (if applicable):

6.12.1 - but probably all versions > 6.11


How reproducible:

always.


Steps to Reproduce:
1. update-crypto-policies --set future
2. systemctl reboot
3. satellite-installer --scenario satellite
4. hammer ping

Actual results:

# hammer ping
database:         
    Status:          ok
    Server Response: Duration: 0ms
candlepin:        
    Status:          FAIL
    Server Response: Message: Failed to open TCP connection to localhost:23443 (Connection refused - connect(2) for "localhost" port 23443)
candlepin_auth:   
    Status:          FAIL
    Server Response: Message: A backend service [ Candlepin ] is unreachable
candlepin_events: 
    Status:          ok
    message:         0 Processed, 0 Failed
    Server Response: Duration: 0ms
katello_events:   
    Status:          ok
    message:         0 Processed, 0 Failed
    Server Response: Duration: 0ms
pulp3:            
    Status:          ok
    Server Response: Duration: 240ms
pulp3_content:    
    Status:          ok
    Server Response: Duration: 58ms
foreman_tasks:    
    Status:          ok
    Server Response: Duration: 3ms




Expected results:

hammer ping
database:         
    Status:          ok
    Server Response: Duration: 0ms
candlepin:        
    Status:          ok
    Server Response: Duration: 20ms
candlepin_auth:   
    Status:          ok
    Server Response: Duration: 16ms
candlepin_events: 
    Status:          ok
    message:         27 Processed, 0 Failed
    Server Response: Duration: 0ms
katello_events:   
    Status:          ok
    message:         0 Processed, 0 Failed
    Server Response: Duration: 0ms
pulp3:            
    Status:          ok
    Server Response: Duration: 268ms
pulp3_content:    
    Status:          ok
    Server Response: Duration: 231ms
foreman_tasks:    
    Status:          ok
    Server Response: Duration: 4ms


Additional info:

Update documentation and or implement an installer check.

Comment 1 Ewoud Kohl van Wijngaarden 2023-02-23 15:17:15 UTC

(In reply to Benjamin Hackl-Blaimschein from comment #0)
> Installer does not warn if crypto policy is set to future. Installer runs,
> but some services silently fail - e.g. 

This is all Candlepin, which has been fixed in https://github.com/theforeman/puppet-candlepin/commit/86bb0923677aa7586709ae4266f1c8bf9a1e97c4. https://bugzilla.redhat.com/show_bug.cgi?id=2117265#c2 contains some notes on overriding the ciphers in custom-hiera.yaml, though you should remove that once Satellite defaults to the more secure ciphers.

> Update documentation and or implement an installer check.

This has been added to the documentation. I can't link exactly to the sentence, but https://access.redhat.com/documentation/en-us/red_hat_satellite/6.11/html/installing_satellite_server_in_a_connected_network_environment/preparing_your_environment_for_installation_satellite#system-requirements_satellite is the chapter that includes:

> Satellite supports DEFAULT and FIPS crypto-policies. The FUTURE crypto-policy is not supported for Satellite and Capsule installations. 

An installer check has a problem. https://bugzilla.redhat.com/show_bug.cgi?id=2117265 is still open for real support, but currently it's blocked on CDN access which we don't control. If we implement a check, it requires Satellite to push an update to remove that check when the CDN does support it.

So in summary:

* It's already documented in the system requirements
* A future Satellite itself should work out of the box with FUTURE crypto-policy
* It's unknown when the Red Hat CDN becomes compatible with FUTURE crypto-policy
* An installer check for a non-local dependency can create issues down the line

Because of that I'm inclined to close this bug now. Do you agree your concern has been addressed?

Comment 2 Benjamin Hackl-Blaimschein 2023-02-27 08:12:38 UTC

Yes please close. Documentation already states that FUTURE crypto-policy is not supported. Somehow I missed this, sorry. Thank you.

Note You need to log in before you can comment on or make changes to this bug.