Red Hat Bugzilla – Bug 667122
Anaconda doesn't work with https enabled repos.
Last modified: 2014-09-30 19:39:38 EDT
Created attachment 471674 [details]
Dont know if you need anything from this, but here is a small part from the ks file.
Description of problem:
Try to add a a repo using https.
Version-Release number of selected component (if applicable):
Anaconda used in Rhel 6.
Steps to Reproduce:
1. Add a repo like this in kickstart-file
repo --name=rhel6_test --baseurl=https://test.foo.bar
2. Try to install with that kickstart file.
Anaconda telling me "Peer cert cannot be verified or peer cert invalid"
Anaconda adding the repository as expected.
The repo is ok and the cert is issued by, issuer: CN=DigiCert High Assurance CA-3,OU=www.digicert.com,O=DigiCert Inc,C=US.
- If I use http instead of https it works as expected.
- If I use wget on the https://test.foo.bar, it will not validate the certificate *unless* the link /etc/pki/tls/cert.pem -> valid ca-bundle.crt exists. If this link exist, wget validates our certificate as excpected, but anaconda still rejects with "Peer cert cannot be verified or peer cert invalid".
can you attach '/tmp/anaconda.log' to this bug? Also: what step do you see the error, is it during package selection?
Yes sure, it fails right after the partitioning process, i think it says something like "retrieving information from foo-repo", and then presents the error "Unable to read package metadaga. This may be to a missing repodata directory...." Attaching log.
Created attachment 471693 [details]
note that i only added https on one of the repos during this test.
We are missing libnsspem.so in the image for some reason and I think this is what prevents libcurl from verifying a certificate. Fix coming shortly.
QA, this can be verified by trying to use urlgrabber or curl (must be scp'd into the installation's /tmp) to download any file from a https server that uses a cerficicate of a well known authority from /etc/pki/tls/certs/ca-bundle.crt, if you don't have such a private key/certificate then just overwrite ca-bundle.crt with a generated one.
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux maintenance release. Product Management has
requested further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update release.
I've confirmed this, I rebuilt the install.img with the libnsspem.so included in /usr/lib64/ (running 64bit), and now the https enabled repo works.
Before I did the rebuild I tried to scp over curl, tried to run curl in verbose but it was complaining about missing the libnsspem.so. After copying over the lib to /tmp, adding /tmp to LD_LIBRARY_PATH, running curl to a https adress works as expected.
Thanks for the quick response on this.
Btw, I mounted the img (mount -o loop install.img /foo) copied it over to /bar, inserted the libnsspem.so into /bar/usr/lib64/ and ran mksquashfs on /bar to genereate a new install.img.
*** Bug 660565 has been marked as a duplicate of this bug. ***
Fixed by b3c70555b64c9a1accb294f31c4dfeb14c33d0b2.
Ales -- is there a test spin we can use? Thanks!
you'll need to wait for a nightly build that includes anaconda-13.21.87-1. We did the build of *-86 just yesterday, it's going to take at most 7 days before we do *-87 (but possibly much sooner if there are emergency fixes that need to make it to the nightlies) and then around one day until it makes it to the nightlies. So I would say you can test this with nightlies from Monday 16th.
Thanks Ales, I'll test once available...
libnsspem.so is present in stage2 image for 0308.n.1 tree and using cutl against https URL signed by well known CA works as expected.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.