Bug 599042 - Installation over HTTPS Fails
Installation over HTTPS Fails
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: anaconda (Show other bugs)
6.1
All Linux
low Severity low
: rc
: ---
Assigned To: Ales Kozumplik
Release Test Team
:
Depends On: 599040
Blocks: 647893 660340
  Show dependency treegraph
 
Reported: 2010-06-02 11:10 EDT by Marko Myllynen
Modified: 2014-09-30 19:39 EDT (History)
10 users (show)

See Also:
Fixed In Version: anaconda-13.21.84-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 599040
: 660340 (view as bug list)
Environment:
Last Closed: 2011-05-19 08:29:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marko Myllynen 2010-06-02 11:10:20 EDT
+++ This bug was initially created as a clone of Bug #599040 +++

Creating this bug report for tracking the feature in RHEL 6.

Description of problem:
When trying to do partly kickstart based installation of Fedora from an HTTPS repository, the attempt will fail if the certificate is self-signed (in other words it is not signed by a well-known CA). The user could make the used CA certificate trusted by modifying the global storage of trusted certificates (currently /etc/pki/tls/certs/ca-bundle.crt). This could be done in a %pre script, e.g:

%pre
cat >/etc/pki/tls/certs/ca-bundle.crt <<END
-----BEGIN CERTIFICATE-----
MIIEKjCCAxKgAwIBAgIQYAGXt0an6rS0mtZLL/eQ+zANBgkqhkiG9w0BAQsFADCB
rjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
MDggdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxJDAiBgNV
BAMTG3RoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EgLSBHMzAeFw0wODA0MDIwMDAwMDBa
Fw0zNzEyMDEyMzU5NTlaMIGuMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3Rl
LCBJbmMuMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9u
MTgwNgYDVQQLEy8oYykgMjAwOCB0aGF3dGUsIEluYy4gLSBGb3IgYXV0aG9yaXpl
ZCB1c2Ugb25seTEkMCIGA1UEAxMbdGhhd3RlIFByaW1hcnkgUm9vdCBDQSAtIEcz
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsr8nLPvb2FvdeHsbnndm
gcs+vHyu86YnmjSjaDFxODNi5PNxZnmxqWWjpYvVj2AtP0LMqmsywCPLLEHd5N/8
YZzic7IilRFDGF/Eth9XbAoFWCLINkw6fKXRz4aviKdEAhN0cXMKQlkC+BsUa0Lf
b1+6a4KinVvnSr0eAXLbS3ToO39/fR8EtCab4LRarEc9VbjXsCZSKAExQGbY2SS9
9irY7CFJXJv2eul/VTV+lmuNk5Mny5K76qxAwJ/C+IDPXfRa3M50hqY+bAtTyr2S
zhkGcuYMXDhpxwTWvGzOW/b3aJzcJRVIiKHpqfiYnODz1TEoYRFsZ5aNOZnLwkUk
OQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
HQ4EFgQUrWyqlGCc7eT/+j4KdCtjA/e2Wb8wDQYJKoZIhvcNAQELBQADggEBABpA
2JVlrAmSicY59BDlqQ5mU1143vokkbvnRFHfxhY0Cu9qRFHqKweKA3rD6z8KLFIW
oCtDuSWQP3CpMyVtRRooOyfPqsMpQhvfO0zAMzRbQYi/aytlryjvsvXDqmbOe1bu
t8jLZ8HJnBoYuMTDSQPxYA5QzUbF83d597YV4Djbxy8ooAw/dyZ02SUS2jHaGh7c
KUGRIjxpp7sC8rZcJwOJ9Abqm+RyguOhCcHpABnTPtRwa7pxpqpYrvS76Wy274fM
m7v/OeZWYdMKp8RcTGB7BXcmer/YB1IsYvdwY9k5vG8cwnncdimvzsUsZAReiDZu
MdRAGmI0Nj81Aa6sY6A=
-----END CERTIFICATE-----
%end

It is of course up to the user to make sure the certificate/kickstart file is obtained from a trusted source.

However, in some cases this workaround might not be optimal, ideally the installer could, for example, present a pop-up window asking whether or not to accept the certificate if the CA cert is not well-known (perhaps in the same spirit as Firefox does).
Comment 3 RHEL Product and Program Management 2010-06-04 09:43:21 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 11 RHEL Product and Program Management 2010-10-29 17:32:09 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux maintenance release. Product Management has 
requested further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed 
products. This request is not yet committed for inclusion in an Update release.
Comment 12 Ales Kozumplik 2010-12-06 10:53:35 EST
Fixed on rhel6-branch by
d40bfb8389074ad5983a8c082d17056d81b1e255,
5543b2c7babf343a82d586aa378008bea549d8ba,
b4fe453611886f28b8669b8f5cb2f4a0a0111400 and
e32f4a2a45bc74f5413c3b48f8de20cac1025fbf.

Will be fixed in anaconda-13.21.84-1.

See also bug 660340.
Comment 16 Ales Kozumplik 2011-02-21 03:25:42 EST
There has been three additional bugs opened describing problems with the feature opened: bug 678580, bug 678580 and bug 678574.

Moving this back to modified.
Comment 18 Alexander Todorov 2011-03-30 09:13:39 EDT
This is more like a tracker bug. I will move it to VERIFIED and will track remaining issues in separate BZs.
Comment 19 errata-xmlrpc 2011-05-19 08:29:39 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0530.html

Note You need to log in before you can comment on or make changes to this bug.