Bug 505325 - Proxy cmd line installer failing to generate/sign SSL cert
Proxy cmd line installer failing to generate/sign SSL cert
Status: CLOSED CURRENTRELEASE
Product: Red Hat Satellite Proxy 5
Classification: Red Hat
Component: Installer (Show other bugs)
530
All Linux
urgent Severity high
: ---
: ---
Assigned To: Miroslav Suchý
Jeff Browning
:
Depends On:
Blocks: 456999
  Show dependency treegraph
 
Reported: 2009-06-11 10:03 EDT by wes hayutin
Modified: 2009-09-10 10:39 EDT (History)
3 users (show)

See Also:
Fixed In Version: sat530
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-10 10:39:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
sosreport from proxy (2.70 MB, application/x-bzip2)
2009-06-11 10:07 EDT, wes hayutin
no flags Details

  None (edit)
Description wes hayutin 2009-06-11 10:03:16 EDT
Description of problem:

sat530 rhel 5 6/5.1 build sat proxy cmd line installer 530

root@dhcp77-204 ssl-build]# configure-proxy.sh --answer-file=/root/answers.txt 
RHN Parent [grandprix.rhndev.redhat.com]: grandprix.rhndev.redhat.com
Proxy version to activate [5.3]: 5.3
Traceback email [whayutin@redhat.com]: whayutin@redhat.com
Use SSL [1]: 1
CA Chain [/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT]: /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
HTTP Proxy []: 
Regardless of whether you enabled SSL for the connection to the Spacewalk Parent
Server, you will be prompted to generate an SSL certificate.
This SSL certificate will allow client systems to connect to this Spacewalk Proxy
securely. Refer to the Spacewalk Proxy Installation Guide for more information.
Organization [Red Hat]: Red Hat
Organization Unit [RHEN]: RHEN
Common Name [Red Hat Test]: Red Hat Test
City [Raleigh]: Raleigh
State [NC]: NC
Country code [US]: US
Email [whayutin@redhat.com]: whayutin@redhat.com
API version: 5.3.0
RHN Proxy successfully activated.
Loaded plugins: rhnplugin, security
Setting up Install Process
Parsing package install arguments
Package spacewalk-proxy-management-0.5.7-5.el5sat.noarch already installed and latest version
Nothing to do
You do not have monitoring installed. Do you want to install it?
Will run 'yum install spacewalk-proxy-monitoring'. [N]: N
Using CA key at /root/ssl-build/RHN-ORG-PRIVATE-SSL-KEY.
Generating SSL key and public certificate:

ERROR: web server's SSL certificate generation/signing failed:

Using configuration from /root/ssl-build/rhn-ca-openssl.cnf
unable to load CA private key
3489:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:332:
3489:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:425:

SSL key generation failed! Installation interrupted.
API version: 5.3.0
WARNING: upon deactivation attempt: unknown error - <Fault -1: 'redstone.xmlrpc.XmlRpcFault: unhandled internal exception: No row with the given identifier exists: [com.redhat.rhn.domain.server.ProxyInfo#1000010365]'>
Comment 1 wes hayutin 2009-06-11 10:07:52 EDT
Created attachment 347402 [details]
sosreport from proxy
Comment 2 Clifford Perry 2009-06-11 10:14:06 EDT
Mirek to review the SSL error. 

The error at bottom :

API version: 5.3.0
WARNING: upon deactivation attempt: unknown error - <Fault -1:
'redstone.xmlrpc.XmlRpcFault: unhandled internal exception: No row with the
given identifier exists: [com.redhat.rhn.domain.server.ProxyInfo#1000010365]'>  

is already covered by bug 505170. 

Cliff
Comment 3 Miroslav Suchý 2009-06-12 11:15:43 EDT
The problem is when CA password is entered in answer file:
This works:
 /usr/bin/rhn-ssl-tool --gen-server --no-rpm --set-hostname dhcp77-204.rhndev.redhat.com --dir=/root/ssl-build --set-country=US --set-city=Raleigh --set-state=NC --set-org="Red Hat" --set-org-unit=RHEN --set-email=whayutin@redhat.com --password 'foo'

But this (which we use) do not work:
P="--password 'foo'"
/usr/bin/rhn-ssl-tool --gen-server --no-rpm --set-hostname dhcp77-204.rhndev.redhat.com --dir=/root/ssl-build --set-country=US --set-city=Raleigh --set-state=NC --set-org="Red Hat" --set-org-unit=RHEN --set-email=whayutin@redhat.com $P

since it is taken as one parametr with space.
Will fix on monday.
Comment 4 Miroslav Suchý 2009-06-15 03:24:45 EDT
Commited as b948594a5d12b523705271bf957cca89cdb43843
pass two parameters as two parameters
previous syntax has been read as one parameter "--password pswd"
Comment 5 Miroslav Suchý 2009-06-17 04:05:54 EDT
iso 20090616
moving to ON_QA
Comment 6 Jan Pazdziora 2009-07-03 07:44:15 EDT
When I put correct ssl password to the answer file, the configure-proxy.sh runs OK:

# /usr/sbin/configure-proxy.sh --answer-file=/tmp/answers.txt
RHN Parent [rlx-1-18.rhndev.redhat.com]: rlx-1-18.rhndev.redhat.com
Proxy version to activate [5.3]: 5.3
Traceback email [jpazdziora@redhat.com]: jpazdziora@redhat.com
Use SSL [1]: 1
CA Chain [/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT]: /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
HTTP Proxy []: 
Regardless of whether you enabled SSL for the connection to the Spacewalk Parent
Server, you will be prompted to generate an SSL certificate.
This SSL certificate will allow client systems to connect to this Spacewalk Proxy
securely. Refer to the Spacewalk Proxy Installation Guide for more information.
Organization [Red Hat]: Red Hat
Organization Unit [Spacewalk]: Spacewalk
Common Name [Red Hat Test]: Red Hat Test
City [Raleigh]: Raleigh
State [NC]: NC
Country code [US]: US
Email [jpazdziora@redhat.com]: jpazdziora@redhat.com
API version: 5.3.0
RHN Proxy successfully deactivated.
RHN Proxy successfully activated.
Loaded plugins: rhnplugin
Setting up Install Process
Parsing package install arguments
Package spacewalk-proxy-management-0.5.7-7.el5sat.noarch already installed and latest version
Nothing to do
You do not have monitoring installed. Do you want to install it?
Will run 'yum install spacewalk-proxy-monitoring'. [N]: N
Using CA key at /root/ssl-build/RHN-ORG-PRIVATE-SSL-KEY.
Generating SSL key and public certificate:
Installing SSL certificate for Apache and Jabberd:
Preparing packages for installation...
rhn-org-httpd-ssl-key-pair-vmware145.englab.brq-1.0-3
Create and populate configuration channel rhn_proxy_config_1000010320? [Y]: Y
Using server name rlx-1-18.rhndev.redhat.com
Creating config channel rhn_proxy_config_1000010320

Config channel rhn_proxy_config_1000010320 already exists
Using server name rlx-1-18.rhndev.redhat.com
Pushing to channel rhn_proxy_config_1000010320:
Local file /etc/httpd/conf.d/ssl.conf -> remote file /etc/httpd/conf.d/ssl.conf
Local file /etc/rhn/rhn.conf -> remote file /etc/rhn/rhn.conf
Local file /etc/rhn/cluster.ini -> remote file /etc/rhn/cluster.ini
Local file /etc/squid/squid.conf -> remote file /etc/squid/squid.conf
Local file /etc/httpd/conf.d/cobbler-proxy.conf -> remote file /etc/httpd/conf.d/cobbler-proxy.conf
Local file /etc/httpd/conf/httpd.conf -> remote file /etc/httpd/conf/httpd.conf
Local file /etc/httpd/conf.d/rhn_proxy.conf -> remote file /etc/httpd/conf.d/rhn_proxy.conf
Local file /etc/httpd/conf.d/proxy_broker.conf -> remote file /etc/httpd/conf.d/proxy_broker.conf
Local file /etc/httpd/conf.d/proxy_redirect.conf -> remote file /etc/httpd/conf.d/proxy_redirect.conf
Local file /etc/jabberd/c2s.xml -> remote file /etc/jabberd/c2s.xml
Local file /etc/jabberd/sm.xml -> remote file /etc/jabberd/sm.xml
Enabling Spacewalk Proxy.
Shutting down rhn-proxy...
Shutting down Jabber router:                               [  OK  ]
Stopping httpd:                                            [  OK  ]
Stopping squid: .                                          [  OK  ]
Done.
Starting rhn-proxy...
Starting squid: .                                          [  OK  ]
Starting httpd:                                            [  OK  ]
Starting Jabber services                                   [  OK  ]
Done.

When I put in wrong password, the configure-proxy.sh fails with

Generating SSL key and public certificate:

ERROR: web server's SSL certificate generation/signing failed:

Using configuration from /root/ssl-build/rhn-ca-openssl.cnf
unable to load CA private key
4618:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:325:
4618:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:425:

SSL key generation failed! Installation interrupted.
API version: 5.3.0
RHN Proxy successfully deactivated.

Therefore, the password is correctly used. Marking as VERIFIED.
Comment 8 Brandon Perkins 2009-09-10 10:39:15 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1433.html

Note You need to log in before you can comment on or make changes to this bug.