Red Hat Bugzilla – Bug 821949
installation fails if kickstart is served over https:// with an unrecognised CA certificate
Last modified: 2012-06-26 02:40:06 EDT
Description of problem:
Since native provisioning serves the kickstarts from the scheduler and our scheduler is configured to do https, anaconda fails to install.
Version-Release number of selected component (if applicable):
In an effort to serve everything to the test machines through the lab controller, would it be possible to proxy this from the lab controller? Or should we leave that alone for now and simply strip ks=https:// to ks=http:// ?
The problem here is not with SSL itself, but rather because our Beaker server is using an SSL certificate signed by the internal CA which is not included in Anaconda's CA bundle.
As a workaround we can add 'noverifyssl' to kernel options. That will make Anaconda skip certificate checks.
The proper solution would be to add our CA certificate to Anaconda's bundle somehow. I can't find any documented way of doing this, but I imagine we could add an updates image that includes the extra certificate in the right places. This doesn't seem worth the effort though.
I'm thinking the best solution would be to add "global" install options to the config file, which are applied first (before distro tree, system, recipe). They would default to blank, but anyone who is using a custom SSL CA (like us) could put 'noverifyssl' in the kernel options.
On Gerrit: http://gerrit.beaker-project.org/1075
noverifyssl will not work with all versions of anaconda since it was added recently.
My suggestion is we come up with a mod_rewrite rule that can be put in beaker-server.conf
(In reply to comment #4)
> noverifyssl will not work with all versions of anaconda since it was added
> My suggestion is we come up with a mod_rewrite rule that can be put in
of course thats impossible. whatever the rewrite rule says, anaconda would still first have to make a connection to 443. :-)
We need to serve the url without https to begin with like we do for the harness repo.
Second try: http://gerrit.beaker-project.org/1079
Beaker 0.9.0 has been released.