Red Hat Bugzilla – Bug 497110
spacewalk-certs-tools, rhn-ssl-tool has traceback with option --gen-ca
Last modified: 2009-09-10 10:38:25 EDT
Description of problem:
cannot generate SSL key pair with rhn-ssl-tool
Version-Release number of selected component (if applicable):
rpm -qf `which rhn-ssl-tool`
Steps to Reproduce:
1. cd /root
2. rhn-ssl-tool --gen-server
3. rhn-ssl-tool --gen-ca
Generating web server's SSL certificate request: ./ssl-build/xen44.englab.brq/server.csr
Using distinguished names:
--set-country = "US"
--set-state = "North Carolina"
--set-city = "Raleigh"
--set-org = "Example Corp. Inc."
--set-org-unit = "unit"
--set-hostname = "xen44.englab.brq.redhat.com"
--set-email = "firstname.lastname@example.org"
Backup made: 'server.csr' --> 'server.csr.1'
Rotated: server.csr --> server.csr.1
Generating/signing web server's SSL certificate: server.crt
Backup made: 'server.crt' --> 'server.crt.1'
Rotated: server.crt --> server.crt.1
ERROR: unhandled exception occurred:
Traceback (most recent call last):
File "/usr/bin/rhn-ssl-tool", line 58, in ?
sys.exit(mod.main() or 0)
File "/usr/share/rhn/certs/rhn_ssl_tool.py", line 1221, in main
ret = _main() or 0
File "/usr/share/rhn/certs/rhn_ssl_tool.py", line 1189, in _main
File "/usr/share/rhn/certs/rhn_ssl_tool.py", line 1029, in genServerRpm
raise Exception("No jabber/jabberd user on system")
Exception: No jabber/jabberd user on system
RHN proxy requires SSL key pair for installation.
when I add users jabber+jabberd, then it works
Description of the problem:
when we are installing proxy using webui installer from hosted, it do not have "enable push" option - which is perfectly valid since hosted do not support this.
When push is not enabled, then jabberd is not installed - still perfectly valid since we do not need it for anything.
But rhn_ssl_tool.py expect jabberd user since commit 023fc16f4aca7c477730246f945200290c6f2f52
Accepted. Assigning to Devan per commit:
Should be a simple check.
Two ways to go about this, I'm making a choice for one but will document both incase anyone sees any problems with it.
(1) Change the ownership to fall back on root:root if jabberd user isn't found. (very easy)
(2) Don't include jabberd.pem in the generated rpm at all if jabberd user isn't found on the system where the rpm is built.
I'm taking path (1) as I don't really know for sure how this RPM could be used and it seems less likely to introduce problems elsewhere if we keep the jabberd cert included.
[17:09] <dgoodwin> msuchy: just drafting a comment now I think I have a feeling which direction to take
[17:09] <dgoodwin> msuchy: comment posted
[17:15] <msuchy> dgoodwin: I'm not sure with 1) what will happen if you install proxy withou jabber, run this toll, install resulted package (therefore as root:root) and then reinstall proxy with jabber and generate new package, will it be then installed as jabberd:jabberd ?
[17:15] <msuchy> dgoodwin: I suppose that 2) can be safe
[17:15] <dgoodwin> should come out as jabberd:jabberd if you regenerate the rpm and re-install
[17:15] <dgoodwin> hmmm maybe
[17:16] <dgoodwin> i will test, a root:root jabberd 0600 is probably useless anyhow
[17:16] <msuchy> dgoodwin: yeah, correct 1) will work, but I will personaly vote for 2)
[17:17] <dgoodwin> msuchy: yeah i think i agree with you, i'll change that and go with 2)
Implemented option (2) and tested upgrades from versions with and without the cert, seems to work fine.
Mistake on my part, this ticket is not yet on QA, the commit was made after the merge.
Moved this ON_QA when infact I missed the merge window. Back to modified.
reproduced with old and it works with latest version: spacewalk-certs-tools-0.5.5-5.el4sat
Created cert works with RHN proxy 5.2
verified in stage
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.