This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 821949 - installation fails if kickstart is served over https:// with an unrecognised CA certificate
installation fails if kickstart is served over https:// with an unrecognised ...
Status: CLOSED CURRENTRELEASE
Product: Beaker
Classification: Community
Component: scheduler (Show other bugs)
0.9
Unspecified Unspecified
unspecified Severity unspecified (vote)
: 0.9.0
: ---
Assigned To: Dan Callaghan
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-15 16:43 EDT by Bill Peck
Modified: 2012-06-26 02:40 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-26 02:40:06 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bill Peck 2012-05-15 16:43:10 EDT
Description of problem:
Since native provisioning serves the kickstarts from the scheduler and our scheduler is configured to do https, anaconda fails to install.

Version-Release number of selected component (if applicable):
0.8.99


In an effort to serve everything to the test machines through the lab controller, would it be possible to proxy this from the lab controller?  Or should we leave that alone for now and simply strip ks=https:// to ks=http:// ?
Comment 1 Dan Callaghan 2012-05-20 21:21:14 EDT
The problem here is not with SSL itself, but rather because our Beaker server is using an SSL certificate signed by the internal CA which is not included in Anaconda's CA bundle.

As a workaround we can add 'noverifyssl' to kernel options. That will make Anaconda skip certificate checks.

The proper solution would be to add our CA certificate to Anaconda's bundle somehow. I can't find any documented way of doing this, but I imagine we could add an updates image that includes the extra certificate in the right places. This doesn't seem worth the effort though.
Comment 2 Dan Callaghan 2012-05-20 22:38:29 EDT
I'm thinking the best solution would be to add "global" install options to the config file, which are applied first (before distro tree, system, recipe). They would default to blank, but anyone who is using a custom SSL CA (like us) could put 'noverifyssl' in the kernel options.
Comment 3 Dan Callaghan 2012-05-20 23:36:10 EDT
On Gerrit: http://gerrit.beaker-project.org/1075
Comment 4 Bill Peck 2012-05-21 14:07:57 EDT
noverifyssl will not work with all versions of anaconda since it was added recently.


My suggestion is we come up with a mod_rewrite rule that can be put in beaker-server.conf
Comment 5 Bill Peck 2012-05-21 14:56:36 EDT
(In reply to comment #4)
> noverifyssl will not work with all versions of anaconda since it was added
> recently.
> 
> 
> My suggestion is we come up with a mod_rewrite rule that can be put in
> beaker-server.conf

of course thats impossible.  whatever the rewrite rule says, anaconda would still first have to make a connection to 443. :-)

We need to serve the url without https to begin with like we do for the harness repo.
Comment 6 Dan Callaghan 2012-05-22 01:36:04 EDT
Second try: http://gerrit.beaker-project.org/1079
Comment 8 Dan Callaghan 2012-06-26 02:40:06 EDT
Beaker 0.9.0 has been released.

Note You need to log in before you can comment on or make changes to this bug.