Bug 912911 - Register client server via bootstrap.sh to Satellite server fails because of SSL certificate validation error.
Summary: Register client server via bootstrap.sh to Satellite server fails because of ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Registration
Version: 550
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Michael Mráka
QA Contact: Pavel Studeník
URL:
Whiteboard:
Depends On:
Blocks: sat560-blockers
TreeView+ depends on / blocked
 
Reported: 2013-02-20 00:57 UTC by James Thorne
Modified: 2013-10-01 21:55 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-10-01 21:55:09 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description James Thorne 2013-02-20 00:57:38 UTC 
Description of problem:
Registering a client server via bootstrap.sh to a Satellite 5.4.1 or 5.5.0 server fails because of an SSL certificate validation error.

The problem is on line 195 of bootstrap.sh. The rpm command is used to fetch the Satellite Certificate Authority RPM file. The rpm command uses curl to fetch the file and by default curl verifies the SSL certificate, but because the client server does not already have the Satellite Certificate Authority installed, the file download will fail because of a SSL certificate validation error. Using the rpm command bypasses the logic done on lines 115 - 135 to prevent this problem.

Version-Release number of selected component (if applicable):
(Satellite 5.4.1) spacewalk-certs-tools.noarch        1.7.3-3.el6sat
(Satellite 5.5.0) spacewalk-certs-tools.noarch        1.7.3-4.el6sat 

How reproducible:
Always.

Steps to Reproduce:
1. On the Satellite server, generate a new bootstrap.sh by executing "rhn-bootstrap" as root. Make the necessary changes to the new bootstrap.sh in /var/www/html/pub/bootstrap: Comment out "exit 1", and set ACTIVATION_KEYS=.
2. On the client server, wget the new bootstrap.sh: wget http://satellite.foo.net/pub/bootstrap/bootstrap.sh
3. On the client server, execute the bootstrap.sh
  
Actual results:

UPDATING RHN_REGISTER/UP2DATE CONFIGURATION FILES
-------------------------------------------------
* downloading necessary files
  client_config_update.py...
  client-config-overrides.txt...
* running the update scripts
  . up2date config file
* /etc/sysconfig/rhn/up2date written

* attempting to install corporate public CA cert
Retrieving https://satellite.foo.net/pub/rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
error: skipping https://satellite.foo.net/pub/rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm - transfer failed

REGISTRATION
------------
* registering
An error has occurred:
ERROR: can not find RHNS CA file: /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
See /var/log/up2date for more information

*** Error: Registering the system failed.

Expected results:

UPDATING RHN_REGISTER/UP2DATE CONFIGURATION FILES
-------------------------------------------------
* downloading necessary files
  client_config_update.py...
  client-config-overrides.txt...
* running the update scripts
  . up2date config file

* attempting to install corporate public CA cert
Preparing...                ########################################### [100%]
   1:rhn-org-trusted-ssl-cer########################################### [100%]

REGISTRATION
------------
* registering

*** this system should now be registered, please verify ***

Additional info:

The following patch fixes this problem:

--- bootstrap.sh        2013-02-19 18:42:38.270585609 -0600
+++ bootstrap.sh   		2013-02-19 18:43:52.117534716 -0600
@@ -192,7 +192,8 @@
 echo
 echo "* attempting to install corporate public CA cert"
 if [ $ORG_CA_CERT_IS_RPM_YN -eq 1 ] ; then
-    rpm -Uvh --force --replacefiles --replacepkgs ${HTTPS_PUB_DIRECTORY}/${ORG_CA_CERT}
+    $FETCH ${HTTPS_PUB_DIRECTORY}/${ORG_CA_CERT}
+    rpm -Uvh --force --replacefiles --replacepkgs ${ORG_CA_CERT}
 else
     rm -f ${ORG_CA_CERT}
     $FETCH ${HTTPS_PUB_DIRECTORY}/${ORG_CA_CERT}
Comment 2 Michael Mráka 2013-02-28 10:32:35 UTC 
The issue has been fixed in Spacewalk 1.8 (spacewalk-certs-tools-1.8.4-1) via

commit ba3433047a3760b753e76982d427d46fbaf8b5bf
    download CA cert via http
    fixing chicken-or-egg problem when download of CA cert fails because
    server cert can't be validated without CA cert
Comment 6 Raul Cheleguini 2013-09-25 20:11:48 UTC 
Hello all,

Do we have an ETA about the final fix for this?
It is completely reproducible with spacewalk-certs-tools-1.7.3-4.el6sat.noarch.

Apparently the workaround is edit the bootstrap and change USING_SSL from 1 to 0.

Thanks.
Comment 7 Clifford Perry 2013-10-01 21:55:09 UTC 
Satellite 5.6 has been released. This bug was tracked under the release.  

This bug was either VERIFIED or RELEASE_PENDING (re-verified prior shortly
before release). 

Moving to CLOSED CURRENT_RELEASE. 

Text from Upgrade Erratum follows:

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1395.html
Note You need to log in before you can comment on or make changes to this bug.