Bug #10591
closed
Installation of custom certs causes httpd failure due to bad paths
Description
After creating a new certificate and signing it with our internal CA, I attempted to load the cert into foreman/katello. This cert is intended for the UI only and not for clients. The ca cert, csr, cert, and key were copied to my home directory on the server and the following command was run :
katello-installer --certs-server-cert katello.example.com.2015.crt --certs-server-cert-req katello.example.com.csr --certs-server-key katello.example.com.key --certs-server-ca-cert ca.crt
The installer spit out an error :
Could not start Service[httpd]: Execution of '/sbin/service httpd start' returned 1: Starting httpd: [FAILED]
/Stage[main]/Apache::Service/Service[httpd]/ensure: change from stopped to running failed: Could not start Service[httpd]: Execution of '/sbin/service httpd start' returned 1: Starting httpd: [FAILED]
And the system was non functional. Checking the httpd config manually revealed the problem :
$ service httpd configtest
[Fri May 22 10:40:20 2015] [warn] module passenger_module is already loaded, skipping
Syntax error on line 39 of /etc/httpd/conf.d/03-crane.conf:
SSLCertificateChainFile: file '/etc/httpd/ca.crt' does not exist or is empty
When full paths are specified, the error is slightly different :
$ sudo service httpd start
Starting httpd: [Fri May 22 10:18:31 2015] [warn] module passenger_module is already loaded, skipping
Syntax error on line 39 of /etc/httpd/conf.d/03-crane.conf:
SSLCertificateChainFile: file '/home/xenophage/ca.crt' does not exist or is empty
So it would appear that the installer is expecting that the files are already in their final location instead of copying them to a central location. To resolve this I created a new directory, /etc/pki/katello/certs/custom, and placed the files there. Re-running the installer and specifying the full paths resolved the problem.
The installer should either be handling the relocation of these files, or the user needs to be informed that they have to put these files in place prior to running the script. The former would be the preferred solution.
Updated by Dominic Cleal over 9 years ago
- Project changed from Foreman to Katello
- Category deleted (
Web Interface) - Triaged set to No
Updated by Eric Helms over 9 years ago
- Translation missing: en.field_release set to 55
- Triaged changed from No to Yes
For anyone that looks into this, this parameter is referencing the wrong variable -- https://github.com/Katello/puppet-capsule/blob/master/manifests/init.pp#L305
Updated by Jason Frisvold over 9 years ago
Turns out specifying the full path didn't fix things permanently.. It reverted back to the old certs, presumably when puppet noticed the change. I manually copied the new certs in place and that seems to be working for now.
Updated by Ivan Necas over 9 years ago
- Bugzilla link set to 1227757
- Pull request https://github.com/Katello/puppet-capsule/pull/49 added
- Pull request deleted (
)