Bug #17378

candlepin uses ca cert for server cert

Added by Chris Duryee 10 months ago. Updated 6 months ago.

Status:Closed
Priority:High
Assigned To:Andrew Kofink
Category:Installer
Target version:Team Brad - Iteration 12
Difficulty: Pull request:https://github.com/Katello/puppet-certs/pull/128
Bugzilla link:
Story points-
Velocity based estimate-
ReleaseKatello 3.4.0Release relationshipAuto

Description

When the following options are specified (puppet 3), the installer fails to run (db:seed error):

[root@katello ~]# foreman-installer --scenario katello\

--enable-foreman-plugin-discovery\
--enable-foreman-plugin-hooks\
--enable-foreman-plugin-openscap\
--enable-foreman-plugin-remote-execution\
--enable-foreman-plugin-templates\
--certs-ca-common-name="Example Lifecycle management Root CA"\
--certs-ca-expiration=3650\
--certs-expiration=3650\
--certs-country="FR"\
--certs-city="Toulouse"\
--certs-org="Example Lifecycle management"\
--certs-org-unit="Lyra Network Infrastructures"\
--foreman-admin-email=""\
--foreman-initial-location="France"\
--foreman-initial-organization="Example - FR - Test"\
--katello-enable-ostree=true \
--disable-system-checks

error is:

/Stage[main]/Foreman::Database/Foreman::Rake[db:seed]/Exec[foreman-rake-db:seed]: Failed to call refresh: /usr/sbin/foreman-rake db:seed returned 1 instead of one of [0]
/Stage[main]/Foreman::Database/Foreman::Rake[db:seed]/Exec[foreman-rake-db:seed]: /usr/sbin/foreman-rake db:seed returned 1 instead of one of [0]

katello.log - foreman-installer logs (1.55 MB) Baptiste Agasse, 11/17/2016 09:24 AM

Associated revisions

Revision b0c60e73
Added by Timo Goebel 6 months ago

fixes #17378 - tomcat has dedicated certificate

History

#1 Updated by Baptiste Agasse 10 months ago

Attached file: /var/log/foreman-installer/katello.log
The error happen around 15:12

Step to reproduce:

  • 100% of times
  • Install CentOS 7 x86_64 minimal
cat >/etc/yum.repos.d/CentOS-Atomic.repo <<EOL
# CentOS-Atomic.repo
#
# Get rpm-ostree deps from this buildlogs repo because CentOS don't provide them on mirrors ATM

[atomic]
name=CentOS-$releasever - Atomic
#mirrorlist=http://mirrorlist.centos.org/?release=\$releasever&arch=\$basearch&repo=os&infra=$infra
baseurl=http://buildlogs.centos.org/centos/\$releasever/atomic/\$basearch/Packages/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-\$releasever
EOL

yum update -y
yum -y localinstall http://fedorapeople.org/groups/katello/releases/yum/3.2/katello/el7/x86_64/katello-repos-latest.rpm
yum -y localinstall http://yum.theforeman.org/releases/1.13/el7/x86_64/foreman-release.rpm
yum -y localinstall http://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm
yum -y localinstall http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum -y install foreman-release-scl
yum -y install katello

foreman-installer --scenario katello\
  --enable-foreman-plugin-discovery\
  --enable-foreman-plugin-hooks\
  --enable-foreman-plugin-openscap\
  --enable-foreman-plugin-remote-execution\
  --enable-foreman-plugin-templates\
  --certs-ca-common-name="Example Lifecycle management Root CA"\
  --certs-ca-expiration=3650\
  --certs-expiration=3650\
  --certs-country="FR"\
  --certs-city="Toulouse"\
  --certs-org="Example Lifecycle management"\
  --certs-org-unit="Example Infrastructures"\
  --foreman-admin-email="foobar@example.com"\
  --foreman-admin-first-name="Foo"\
  --foreman-admin-last-name="Bar"\
  --foreman-initial-location="France"\
  --foreman-initial-organization="Example - FR - Test"\
  --katello-enable-ostree=true \
  --disable-system-checks

#2 Updated by Baptiste Agasse 10 months ago

I forgot to say that removing --certs-ca-common-name="Example Lifecycle management Root CA" options make the install finish successfully

#3 Updated by Eric Helms 10 months ago

  • Release set to Katello 3.3.0

#4 Updated by Justin Sherrill 9 months ago

  • Release changed from Katello 3.3.0 to Katello Backlog

#5 Updated by Justin Sherrill 9 months ago

  • Subject changed from unable to run installer with certs options to unable to run installer with certs options (Candlepin uses CA cert as server cert)
  • Release changed from Katello Backlog to Katello 3.4.0

The reason this is failing is that candlepin is using the CA certs as its server certs. and since using the ca-name option the common name in the cert does not match the FQDN, communication with it will fail.

#6 Updated by Justin Sherrill 9 months ago

  • Subject changed from unable to run installer with certs options (Candlepin uses CA cert as server cert) to unable to run installer with ca-common-name certs options (Candlepin uses CA cert as server cert)

#7 Updated by Justin Sherrill 7 months ago

  • Subject changed from unable to run installer with ca-common-name certs options (Candlepin uses CA cert as server cert) to candlepin uses ca cert for server cert

#8 Updated by Justin Sherrill 6 months ago

  • Assigned To set to Andrew Kofink
  • Target version set to Team Brad - Iteration 12

#9 Updated by Timo Goebel 6 months ago

  • Pull request https://github.com/Katello/puppet-certs/pull/128 added

This would be my suggestion to fix this:
https://github.com/Katello/puppet-certs/pull/128

#10 Updated by Eric Helms 6 months ago

  • Status changed from New to Ready For Testing

#11 Updated by Timo Goebel 6 months ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF